PWS:MSIL/Stealer!rfn - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat PWS:MSIL/Stealer!rfn

PWS:MSIL/Stealer!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: PWS:MSIL/Stealer!rfn

Classification:

Type:PWS

Platform:MSIL

Family:Stealer

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for .NET (Microsoft Intermediate Language) platform, family Stealer

Summary:

PWS:MSIL/Stealer!rfn is a concrete detection for a password stealer and keylogger that leverages social engineering (e.g., enticing screensavers) to infect systems. It targets credentials from messaging clients and email applications, logs keystrokes, and utilizes HTTP for potential command-and-control communication or data exfiltration.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - /Sexy Screensaver For You, delivered by a friend (PEHSTR)
 - BCheck what i found. Its saved in PIF format (Picture image Format) (PEHSTR)
 - #Someone sent you a sexy screensaver (PEHSTR)
 - autoemail@screensaver.com (PEHSTR)
 - MSNPasswordStealer_Setup.exe (PEHSTR)
 - MSNHack.exe (PEHSTR)
 - AOL_Hack.exe (PEHSTR)
 - AOL_Password_Stealer.exe (PEHSTR)
 - :[HTTP] Downloading File ( (PEHSTR)
 - :[HTTP] Downloading Update ( (PEHSTR)
 - :[HTTP] Downloaded (PEHSTR)
 - :[HTTP] Opened (PEHSTR)
 - :[HTTP] Failed To Open (PEHSTR)
 - :[HTTP] Download Failed (PEHSTR)
 - :[HTTP] Visit Successfull (PEHSTR)
 - :[HTTP] Visit Failed (PEHSTR)
 - $:[Keygrab] User wrote "login"; http: (PEHSTR)
 - B:[Keylogger] Max-size of logfile reached. Saved as (st.log-backup) (PEHSTR)
 - \slugsend\death-ap100s (PEHSTR)
 - \slugsend\death-apc (PEHSTR)
 - UFR_Stealer_ (PEHSTR_EXT)
 - .purple\accounts.xml (PEHSTR_EXT)
 - \The Bat!\ (PEHSTR_EXT)
 - %s%s\Account.cfn (PEHSTR_EXT)
 - C:\TEMP\win32.dll (PEHSTR)
 - https\shell\open\command (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - ;Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR)
 - Game Key - Stealer (PEHSTR)
 - UnLimited PW - Stealer (PEHSTR)
 - \pwfile.log (PEHSTR_EXT)
 - \logencrypt.log (PEHSTR_EXT)
 - Codesoft PW Stealer (PEHSTR_EXT)
 - FTP Password Stealer (PEHSTR_EXT)
 - \Temp\u16event.html (PEHSTR)
 - @Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (PEHSTR)
 - Passport.Net\* (PEHSTR)
 - $Software\Google\Google Talk\Accounts (PEHSTR)
 - \yahoo.ini (PEHSTR)
 - \Trillian\users\default (PEHSTR)
 - \Steam.dll (PEHSTR)
 - \Mozilla\Firefox\Profiles\ (PEHSTR)
 - :Software\Microsoft\Internet Explorer\IntelliForms\Storage2 (PEHSTR)
 - HTTPMail Password2 (PEHSTR)
 - 4Software\Microsoft\Internet Account Manager\Accounts (PEHSTR)
 - RS Stealer v (PEHSTR_EXT)
 - RS_Stealer (PEHSTR_EXT)
 - \Mozilla\Firefox\profiles.ini (PEHSTR_EXT)
 - Firefox Stealer (PEHSTR_EXT)
 - camStealer (PEHSTR_EXT)
 - HttpFlood (PEHSTR_EXT)
 - EnableDisCMD (PEHSTR_EXT)
 - EnablGameStealer (PEHSTR_EXT)
 - Screen_Stealer.Resources (PEHSTR_EXT)
 - UFR_Stealer_2310 (PEHSTR_EXT)
 - Registry-Grabbing.reg (PEHSTR_EXT)
 - StealerLog (PEHSTR_EXT)
 - UFR_Stealer_ (PEHSTR)
 - Opera\wand.dat (PEHSTR)
 - Ghisler\Total Commander (PEHSTR)
 - .purple\accounts.xml (PEHSTR)
 - Google Talk\Accounts (PEHSTR)
 - Registry-Grabbing.reg (PEHSTR)
 - dokotaaaa.hop.ru (PEHSTR)
 - UFR Stealer Report [ %s ] (PEHSTR_EXT)
 - File-Paths.txt (PEHSTR_EXT)
 - Files-Are-Copied.txt (PEHSTR_EXT)
 - ftp.front.ru (PEHSTR_EXT)
 - UFR Stealer Report (PEHSTR_EXT)
 - WCX_FTP.INI (PEHSTR_EXT)
 - Content-Type: image/jpeg; (PEHSTR_EXT)
 - ie_passwords.txt (PEHSTR_EXT)
 - /botnet/upload.php (PEHSTR_EXT)
 - Projekte\VB.NET - Papst Stealer.NET\sTUB\ (PEHSTR_EXT)
 - \Unknown Logger  (PEHSTR_EXT)
 - CD_KeysStealer (PEHSTR_EXT)
 - q=atraxstealer (PEHSTR_EXT)
 - Atrax Stealer (PEHSTR_EXT)
 - <-t6<_t2<.t.<~t*< u (PEHSTR_EXT)
 - SmartStealer Cracked (PEHSTR_EXT)
 - tradeoffer/new/?partner= (PEHSTR_EXT)
 - common,uncommon,rare,mythical,legendary,immortal (PEHSTR_EXT)
 - steamclient.dll (PEHSTR_EXT)
 - Stealer.exe (PEHSTR)
 - Stealer.Browser (PEHSTR)
 - Stealer.Common (PEHSTR)
 - Stealer.Communicator (PEHSTR)
 - Stealer.Compression (PEHSTR)
 - Stealer.ConfigManager (PEHSTR)
 - Stealer.Cryptography (PEHSTR)
 - Stealer.KeyLogger (PEHSTR)
 - Stealer.Messenger (PEHSTR)
 - Stealer.Model (PEHSTR)
 - Stealer.Annotations (PEHSTR)
 - Stealer.Properties (PEHSTR)
 - Stealer.SQLite (PEHSTR)
 - Stealer.SystemInfo (PEHSTR)
 - Stealer.Update (PEHSTR)
 - SteamStealerExtreme (PEHSTR)
 - .Item>>.GetEnumerator (PEHSTR)
 - .Item>>.get_Current (PEHSTR)
 - SteamStealerExtreme (PEHSTR_EXT)
 - jects\Stealer\Stealer\ (PEHSTR_EXT)
 - SteamStealer.Properties (PEHSTR_EXT)
 - acceptAllIncomingTrades (PEHSTR_EXT)
 - SteamStealer. (PEHSTR_EXT)
 - SteamFileStealerExtreme (PEHSTR)
 - InventoryStealer (PEHSTR_EXT)
 - SteamStealer (PEHSTR_EXT)
 - steam.exe" "%1" (PEHSTR_EXT)
 - \SteamAppData.vdf (PEHSTR_EXT)
 - \loginusers.vdf (PEHSTR_EXT)
 - \Steam Core\.src visur\ (PEHSTR_EXT)
 - SteamFileStealerExtreme (PEHSTR_EXT)
 - SteamStealer (PEHSTR)
 - Steam Stealer 5.0 (PEHSTR_EXT)
 - Stealers (PEHSTR_EXT)
 - Electrum\electrum.dat (PEHSTR_EXT)
 - multibit.wallet (PEHSTR_EXT)
 - Bitcoin\wallet.dat (PEHSTR_EXT)
 - Wallet Stealer\BWS-Stub\Release\BWS-Stub.pdb (PEHSTR_EXT)
 - StealerRunner (PEHSTR_EXT)
 - ExternalStealers (PEHSTR_EXT)
 - ScreenshotLogger (PEHSTR_EXT)
 - PasswordStealer (PEHSTR_EXT)
 - BitcoinStealer.exe (PEHSTR_EXT)
 - ProjectEvrial.Stealer (PEHSTR_EXT)
 - BitcoinStealer (PEHSTR_EXT)
 - Evrial.Stealer (PEHSTR_EXT)
 - Evrial.Hardware (PEHSTR_EXT)
 - Evrial.Cookies (PEHSTR_EXT)
 - \\.\PhysicalDrive0 (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - InfoLogs/PC (PEHSTR_EXT)
 - Windows\CurrentVersion\Run (PEHSTR_EXT)
 - .hostland.pro/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - ftp57.hostland.ru (PEHSTR_EXT)
 - BitcoinStealer.exe (PEHSTR)
 - \ProgramData (PEHSTR_EXT)
 - FacebookRobot.lib (PEHSTR_EXT)
 - Obj\Release\SharpX.pdb (PEHSTR_EXT)
 - Loki\ (PEHSTR_EXT)
 - \loki.pdb (PEHSTR_EXT)
 - ip.txt (PEHSTR)
 - System.txt (PEHSTR)
 - PasswordsList.txt (PEHSTR)
 - Browsers\Cookies (PEHSTR)
 - Browsers\History (PEHSTR)
 - moz_historyvisits.visit_date (PEHSTR)
 - \places.sqlite (PEHSTR)
 - https://www.facebook.com/ (PEHSTR)
 - #<script>bigPipe.beforePageletArrive (PEHSTR)
 - PasswordStealer (PEHSTR)
 - WinHttpReq.Send (MACROHSTR_EXT)
 - winMgmts.ExecQuery(Base64DecodeString (MACROHSTR_EXT)
 - Base64EncodeString(GetDocName & "|" & GetComputerInfo & "|" & GetOSInfo & "|" & GetAV & "|" & GetProc) (MACROHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - PStealer_FileZilla (PEHSTR_EXT)
 - Stealer_TotalCmd (PEHSTR_EXT)
 - Server\PasswordViewOnly (PEHSTR_EXT)
 - discord.com/api/webhooks/ (PEHSTR_EXT)
 - CplusplusTest.pdb (PEHSTR_EXT)
 - Discord\Local Storage\leveldb (PEHSTR_EXT)
 - Lightcord\Local Storage\leveldb (PEHSTR_EXT)
 - Opera Software\Opera Stable\Local Storage\leveldb (PEHSTR_EXT)
 - Google\Chrome\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - Microsoft\Edge\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - upload_screenshot (PEHSTR)
 - http://fasterpdfinstall.xyz:10000/cookie (PEHSTR_EXT)
 - CHCookie.pdb (PEHSTR_EXT)
 - RocketXStealer (PEHSTR)
 - XO-JAM. (PEHSTR_EXT)
 - CO-JAM. (PEHSTR_EXT)
 - http://107.173.191.123/swift/Fepviueeh_Djesbqqi.jpg (PEHSTR_EXT)
 - ProcessStealer (PEHSTR)
 - BuildStealer_Click (PEHSTR)
 - No_Virus_EXE_By_Haf (PEHSTR)
 - /C choice /C Y /N /D Y /T 3 & Del " (PEHSTR_EXT)
 - /Windows/Discord (PEHSTR_EXT)
 - \BitcoinCore\wallet.dat (PEHSTR_EXT)
 - \discord\Local Storage\https_discordapp.com (PEHSTR_EXT)
 - \Browsers\Passwords.txt (PEHSTR_EXT)
 - C:\ProgramData\debug.txt (PEHSTR_EXT)
 - Stealer (PEHSTR_EXT)
 - https://discordapp.com/api/webhooks/ (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Local Storage\leveldb\ (PEHSTR_EXT)
 - \discord\Local Storage\leveldb\ (PEHSTR_EXT)
 - \LDISCORD\ (PEHSTR_EXT)
 - _Files\_AllPasswords_list.txt (PEHSTR)
 - http://u2729.mh0.ru/ (PEHSTR_EXT)
 - Passwords.txt (PEHSTR_EXT)
 - FireFox\logins.json (PEHSTR_EXT)
 - CreditCards.txt (PEHSTR_EXT)
 - Filezilla\Passwords.txt (PEHSTR_EXT)
 - VPN\ProtonVPN\Passwords.txt (PEHSTR_EXT)
 - Psi\Passwords.txt (PEHSTR_EXT)
 - Pidgin\Passwords.txt (PEHSTR_EXT)
 - BitcoinCore\wallet.dat (PEHSTR_EXT)
 - DashCore\wallet.dat (PEHSTR_EXT)
 - LitecoinCore\wallet.dat (PEHSTR_EXT)
 - Select * from Win32_ComputerSystem (PEHSTR_EXT)
 - .cctor (PEHSTR_EXT)
 - DarkStealer (PEHSTR_EXT)
 - Passwords_Edge.txt (PEHSTR_EXT)
 - //setting[@name='Password']/value (PEHSTR_EXT)
 - \Passwords_Mozilla.txt (PEHSTR_EXT)
 - echelon.txt (PEHSTR_EXT)
 - GetStealer (PEHSTR_EXT)
 - vaultcli.dll (PEHSTR)
 - passff.tar (PEHSTR)
 - cookie.tar (PEHSTR)
 - \files\Wallets (PEHSTR)
 - multidoge.wallet (PEHSTR)
 - \Exodus\exodus.wallet (PEHSTR)
 - files\passwords.txt (PEHSTR)
 - /c taskkill /im (PEHSTR)
 - AppData\Roaming\Arkei (PEHSTR_EXT)
 - Mozilla\Firefox\Profiles (PEHSTR_EXT)
 - System.Configuration (PEHSTR_EXT)
 - System.Globalization (PEHSTR_EXT)
 - System.Runtime.Serialization (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - Pillager\obj\Release\Pillager.pdb (PEHSTR_EXT)
 - Pillager.exe (PEHSTR_EXT)
 - Token-Browser-Password-Stealer-Creator (PEHSTR_EXT)
 - sendhookfile.exe (PEHSTR_EXT)
 - C:/temp/WebBrowserPassView.exe (PEHSTR_EXT)
 - System.Reflection.Emit (PEHSTR_EXT)
 - HttpResponse (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - System.Security.AccessControl (PEHSTR_EXT)
 - .babaxed (PEHSTR_EXT)
 - babaxv2.exe (PEHSTR_EXT)
 - \BABAX-Stealer\BabaxStealer v2\Babax (PEHSTR_EXT)
 - shryy32.dyy (PEHSTR)
 - /tedburke/CommandCam/master/CommandCam.exe (PEHSTR_EXT)
 - Trying create screenshot from camera (PEHSTR_EXT)
 - /LimerBoy/hackpy/master/modules/audio.zip (PEHSTR_EXT)
 - Failed to decrypt file. Wrong password! (PEHSTR_EXT)
 - \keylogs (PEHSTR_EXT)
 - /master/Stealer/Stealer/modules/Sodium.dll (PEHSTR_EXT)
 - /TelegramRAT/core/libs/AudioSwitcher.AudioApi.dll (PEHSTR_EXT)
 - Ave_Maria Stealer (PEHSTR_EXT)
 - "Content-Type: application/upload" + vbCrLf + vbCrLf (MACROHSTR_EXT)
 - Application.NormalTemplate.Path & " " & Chr(38) & " copy " &  (MACROHSTR_EXT)
 - .vbs" & " " & Chr(38) & (MACROHSTR_EXT)
 - .WriteLine "  Physical (MAC) address: " & objAdapter.MACAddress (MACROHSTR_EXT)
 -  http://csv.posadadesantiago.com/ (PEHSTR)
 - *Content-Type: application/x-zip-compressed (PEHSTR)
 - $http://%s/home/?id=%s&act=wbi&ver=%s (PEHSTR)
 - source\repos\webCreds\obj\Release\webCreds.pdb (PEHSTR_EXT)
 - screenshot.png (PEHSTR_EXT)
 - credentials.txt (PEHSTR_EXT)
 - pwd.txt (PEHSTR_EXT)
 - PasteStealer (PEHSTR_EXT)
 - \AppData\Local\Growtopia (PEHSTR_EXT)
 - echo j | del Trinity.bat (PEHSTR_EXT)
 - \AppData\Roaming\Services.exe (PEHSTR_EXT)
 - SetCompatibleTextRenderingDefault (PEHSTR_EXT)
 - RedLine.Reburn.Models (PEHSTR_EXT)
 - RedLine.Reburn.Data (PEHSTR_EXT)
 - 1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFE (PEHSTR)
 - ServerComputer (PEHSTR_EXT)
 - System.Threading (PEHSTR_EXT)
 - ParseXmlDescription (PEHSTR_EXT)
 - System.Data.SqlClient (PEHSTR_EXT)
 - System.IO.Compression (PEHSTR_EXT)
 - commandLine (PEHSTR_EXT)
 - ExecuteNonQuery (PEHSTR_EXT)
 - System.Drawing (PEHSTR_EXT)
 - System.Security.Principal (PEHSTR_EXT)
 - System.Runtime.Remoting (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - System.Net (PEHSTR_EXT)
 - System.Security.Cryptography (PEHSTR_EXT)
 - get_ExecutablePath (PEHSTR_EXT)
 - AMe8.dll (PEHSTR_EXT)
 - AMe8.My (PEHSTR_EXT)
 - AMe8.Resources.resources (PEHSTR_EXT)
 - files\outlook.txt (PEHSTR_EXT)
 - files\information.txt (PEHSTR_EXT)
 - passwords.txt (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - screenshot.jpg (PEHSTR_EXT)
 - image/jpeg (PEHSTR_EXT)
 - /c taskkill /im  (PEHSTR_EXT)
 - Cookies\%s_%s.txt (PEHSTR_EXT)
 - \Electrum-LTC\wallets (PEHSTR_EXT)
 - multidoge.wallet (PEHSTR_EXT)
 - \Comodo\Dragon\User Data (PEHSTR_EXT)
 - \Yandex\YandexBrowser\User Data (PEHSTR_EXT)
 - \Mail.Ru\Atom\User Data (PEHSTR_EXT)
 - \Microsoft\Edge\User Data (PEHSTR_EXT)
 - \CryptoTab Browser\User Data (PEHSTR_EXT)
 - ssfnname\Coinomi\wallet_db (PEHSTR_EXT)
 - \Ethereum\wallets (PEHSTR_EXT)
 - AccountInfo.txt (PEHSTR_EXT)
 - \user.configName\Exodus\exodus.wallet (PEHSTR_EXT)
 - \Monero\wallets (PEHSTR_EXT)
 - Coinomi\wallet_db (PEHSTR_EXT)
 - ROwindows defender sucksOT\SecurityCentewindows defender sucksr2 (PEHSTR_EXT)
 - CS.My.Resources (PEHSTR_EXT)
 - CS.frmParish.resources (PEHSTR_EXT)
 - CS.Report1.rdlc (PEHSTR_EXT)
 - Adamantium-Thief/master/Stealer/Stealer (PEHSTR_EXT)
 - libsodium.dll (PEHSTR_EXT)
 - Opera Software\Opera Stable (PEHSTR_EXT)
 - Google\Chrome (PEHSTR_EXT)
 - Yandex\YandexBrowser (PEHSTR_EXT)
 - Comodo\Dragon (PEHSTR_EXT)
 - Telegram.Bot (PEHSTR_EXT)
 - SELECT host_key, name, path, is_secure, expires_utc, encrypted_value, is_httponly FROM cookies (PEHSTR_EXT)
 - Dialup/RAS/VPN Passwords (PEHSTR)
 - HogStealer (PEHSTR_EXT)
 - /C choice /C Y /N /D Y /T 1 & Del (PEHSTR_EXT)
 - has been has been infected with HogStealer! (PEHSTR_EXT)
 - https://bit.ly/3987VpR (PEHSTR_EXT)
 - AStealer (PEHSTR_EXT)
 - config.dyndns (PEHSTR_EXT)
 - screenshot (PEHSTR_EXT)
 - C:\\BCRYPT.DLL (PEHSTR_EXT)
 - C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
 - \\signons.sqlite (PEHSTR_EXT)
 - recentservers.xml (PEHSTR_EXT)
 - \\Nichrome\\User Data\\ (PEHSTR_EXT)
 - \\Epic Privacy Browser\\User Data\\ (PEHSTR_EXT)
 - \\brave\\ (PEHSTR_EXT)
 - Cookies\\IE_Cookies.txt (PEHSTR_EXT)
 - files\outlook.txtfiles\\outlook.txt (PEHSTR_EXT)
 - encrypted_key":"(.*?) (PEHSTR_EXT)
 - Passwords. (PEHSTR_EXT)
 - //setting[@name='Username']/value (PEHSTR_EXT)
 - /s /t {0} (PEHSTR_EXT)
 - \Programs\Discord (PEHSTR_EXT)
 - \tokens.txt (PEHSTR_EXT)
 - Local Storage\leveldb (PEHSTR_EXT)
 - MinecraftStealer (PEHSTR_EXT)
 - connection_trace.txt (PEHSTR_EXT)
 - child_process.execSync(`{0}${{__dirname}}/{1}/Update.exe{2}`) (PEHSTR_EXT)
 - require(__dirname + '/{3}/inject.js') (PEHSTR_EXT)
 - mfa\.(\w|\d|_|-){84} (PEHSTR_EXT)
 - (\w|\d){24}\.(\w|\d|_|-){6}.(\w|\d|_|-){27} (PEHSTR_EXT)
 - discordmod.js (PEHSTR_EXT)
 - preload.js (PEHSTR_EXT)
 - inject.js (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - http://awuasb09.top/download.php (PEHSTR_EXT)
 - /index.php (PEHSTR_EXT)
 - \_Files\_AllPasswords_list.txt (PEHSTR_EXT)
 - \files_\passwords.txt (PEHSTR_EXT)
 - \_Files\_AllCookies_list.txt (PEHSTR_EXT)
 - \_Files\_Cookies\google_chrome_new.txt (PEHSTR_EXT)
 - \_Files\_All_CC_list.txt (PEHSTR_EXT)
 - \_Files\_AllForms_list.txt (PEHSTR_EXT)
 - \key4.db (PEHSTR_EXT)
 - \fehS8.tmp (PEHSTR_EXT)
 - \files_\cryptocurrency (PEHSTR_EXT)
 - %AppData%\Pegas (PEHSTR_EXT)
 - \_Files\_Wallet (PEHSTR_EXT)
 - \_Files\_Screen_Desktop.jpeg (PEHSTR_EXT)
 - \_Files\_Wallet\ElectronCash (PEHSTR_EXT)
 - PYWuI5\6DNrY\tEqJaSk\ON2K9ThJCLm (PEHSTR_EXT)
 - WINMM.dll (PEHSTR_EXT)
 - Google\Chrome\User Data (PEHSTR_EXT)
 - Microsoft\Edge\User Data (PEHSTR_EXT)
 - Chromium\User Data (PEHSTR_EXT)
 - Xpom\User Data (PEHSTR_EXT)
 - Comodo\Dragon\User Data (PEHSTR_EXT)
 - Amigo\User Data (PEHSTR_EXT)
 - Orbitum\User Data (PEHSTR_EXT)
 - Bromium\User Data (PEHSTR_EXT)
 - BraveSoftware\Brave-Browser\User Data (PEHSTR_EXT)
 - Nichrome\User Data (PEHSTR_EXT)
 - RockMelt\User Data (PEHSTR_EXT)
 - 360Browser\Browser\User Data (PEHSTR_EXT)
 - Vivaldi\User Data (PEHSTR_EXT)
 - Go!\User Data (PEHSTR_EXT)
 - Sputnik\Sputnik\User Data (PEHSTR_EXT)
 - Kometa\User Data (PEHSTR_EXT)
 - uCozMedia\Uran\User Data (PEHSTR_EXT)
 - QIP Surf\User Data (PEHSTR_EXT)
 - Epic Privacy Browser\User Data (PEHSTR_EXT)
 - CocCoc\Browser\User Data (PEHSTR_EXT)
 - Password \ Pass phrase to be tested (PEHSTR_EXT)
 - Generated Password \ Passphrase (PEHSTR_EXT)
 - F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp (PEHSTR_EXT)
 - Kenneth Ives kenaso@tx.rr.com (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 (PEHSTR_EXT)
 - http\shell\open\command (PEHSTR_EXT)
 - channelinfo.pw/ (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Cookies (PEHSTR_EXT)
 - \Google\Chrome\User Data\Profile 1\Login Data (PEHSTR_EXT)
 - tpyyf.com (PEHSTR_EXT)
 - BTC Stealer (PEHSTR_EXT)
 - ^bc1[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz].*$ (PEHSTR_EXT)
 - https://api.telegram.org/bot (PEHSTR_EXT)
 - https://ipv4bot.whatismyipaddress.com/ (PEHSTR_EXT)
 - FILEMY Company (PEHSTR_EXT)
 - Capture.jpg (PEHSTR_EXT)
 - \cookies.txt (PEHSTR_EXT)
 - Invoke StealerPlugin (PEHSTR_EXT)
 - DynamicDllInvoke (PEHSTR_EXT)
 - DynamicDllModule (PEHSTR_EXT)
 - *.wallet (PEHSTR_EXT)
 - -*.lo--g (PEHSTR_EXT)
 - com.liberty.jaxx (PEHSTR_EXT)
 - shell\open\command (PEHSTR_EXT)
 - C:/temp/Passwords.txt (PEHSTR_EXT)
 - C:/temp/System_INFO.txt (PEHSTR_EXT)
 - StealerBin (PEHSTR_EXT)
 - C:/temp/finalres.vbs (PEHSTR_EXT)
 - euisfdjsxadfds7 (PEHSTR_EXT)
 - msg=No-Exes-Found-To-Run (PEHSTR_EXT)
 - /dev/random (PEHSTR_EXT)
 - bryexhsg.xyz (PEHSTR_EXT)
 - addInstall.php? (PEHSTR_EXT)
 - RunPE\obj\Debug\RunPE.pdb (PEHSTR_EXT)
 - RunPE.Resources (PEHSTR_EXT)
 - samp.dll (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - /passwd (PEHSTR_EXT)
 - SOFTWARE\SAMP (PEHSTR_EXT)
 - data\acces (PEHSTR_EXT)
 - AntiStealerByDarkP1xel (PEHSTR_EXT)
 - dddddsssdas.exe (PEHSTR_EXT)
 - ddddddas.exe (PEHSTR_EXT)
 - drivers\ui\NvSmartMax\NvSmartMaxApp (PEHSTR_EXT)
 - PureMiner_Shared\obj\Debug\ClassLibrary (PEHSTR_EXT)
 - AesCryptoServiceProvider (PEHSTR_EXT)
 - zopiv.txt (PEHSTR_EXT)
 - \mijex\ (PEHSTR_EXT)
 - kuxeyor\6\ (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - cmd /c start clr_soft.exe & start redline_.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
 - wextract.pdb (PEHSTR_EXT)
 - powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - http://hsiens.xyz (PEHSTR_EXT)
 - addInstall.php (PEHSTR_EXT)
 - addInstallImpression.php (PEHSTR_EXT)
 - myip.php (PEHSTR_EXT)
 - /cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - HKGASHSAEY_GASHSACURREGASHSANT_USGASHSAER\SoGASHSAftwGASHSAare\BrowseGASHSArOfGASHSADea\BrowseGASHSArOfDGASHSAea (PEHSTR_EXT)
 - ApRCApDRCAata\RoaRCAming (PEHSTR_EXT)
 - FAASD.FAASDexFAASDe (PEHSTR_EXT)
 - Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - OnlineLicensing.dll (PEHSTR_EXT)
 - i9Su6ghOkJi7X57wjuNwgHkQOT8EoCvP138jYo/hb44= (PEHSTR_EXT)
 - OnlineLicensing.pdb (PEHSTR_EXT)
 - Nerdbank.GitVersioning.Tasks (PEHSTR_EXT)
 - OXDK/F\pGF\[@]VpJANM ENCRYPTEDpASSWOpPP]P (PEHSTR_EXT)
 - HTTP Password (PEHSTR_EXT)
 - Software\Microsoft\Internet Account Manager (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - SteamCloudFileManagerLite.upload (PEHSTR_EXT)
 - 65.21.199.14 (PEHSTR_EXT)
 - DecompressString (PEHSTR_EXT)
 - AntiStealerByDark (PEHSTR_EXT)
 - wspath.phpwspath.phpwspath.phpwspath.php? (PEHSTR_EXT)
 - wslink.php? (PEHSTR_EXT)
 - gta_sa_exe (PEHSTR_EXT)
 - darkloader.ru (PEHSTR_EXT)
 - Codejock.FlowGraph (PEHSTR_EXT)
 - andre\RiderProjects\mApp\mApp\obj (PEHSTR_EXT)
 - mApp.pdb (PEHSTR_EXT)
 - SizeDecompressed (PEHSTR_EXT)
 - OsCrypt (PEHSTR_EXT)
 - C:\Users\USER\AppData\Roaming\System\jobs (PEHSTR_EXT)
 - get_Script (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - select * from Win32_ComputerSystem (PEHSTR_EXT)
 - 0.vbs (PEHSTR_EXT)
 - CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" (PEHSTR_EXT)
 - CommandLine "stop WinDefend" (PEHSTR_EXT)
 - https://cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - `/micrifies.jpg (PEHSTR_EXT)
 - c:\myfile.txt (PEHSTR_EXT)
 - c:\file\re.bat (PEHSTR_EXT)
 - H:\reader.exe (PEHSTR_EXT)
 - C:\Windows\reader.exe (PEHSTR_EXT)
 - C:\file\sam.zip (PEHSTR_EXT)
 - \spd123.ini (FILEPATH)
 - HashStealer (PEHSTR_EXT)
 - Antimalware Service Executable (PEHSTR_EXT)
 - https://bitbucket.org/chege3/softwarellc/downloads/ (PEHSTR_EXT)
 - .jpeg (PEHSTR_EXT)
 - test4\e104\Release\e104.pdb (PEHSTR_EXT)
 - http://test.besthotel360.com/001/puppet.Txt (PEHSTR_EXT)
 - hkernY2.dll (PEHSTR_EXT)
 - HTTP/1.1 (PEHSTR_EXT)
 - HTTP/1.0 (PEHSTR_EXT)
 - Stealer.exe (PEHSTR_EXT)
 - HttpOpenRequestW (PEHSTR_EXT)
 - http://113.212.88. (PEHSTR_EXT)
 - /Vv/resource.json (PEHSTR_EXT)
 - C:\Windows\SysWOW64\svchost.exe (PEHSTR_EXT)
 - C:\Windows\SysWOW64\rundll32.exe (PEHSTR_EXT)
 - ComputeQueue (PEHSTR_EXT)
 - Hotspot Shield 7.9.0 (PEHSTR_EXT)
 - 0@.eh_fram (PEHSTR_EXT)
 - http://lady.webnice.ru (PEHSTR_EXT)
 - http://www.rabota.ricor.ru (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - OnStealerDone (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - Administrator\Desktop\Secured\AutoRobotTradingSoftware.pdb (PEHSTR_EXT)
 - Areg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f (PEHSTR)
 - /Microsoft\Windows Defender\Real-Time Protection (PEHSTR)
 - 4Microsoft\Windows Defender\MpEngine" /v "MpEnablePus (PEHSTR)
 - \_Files\_Information.txt (PEHSTR_EXT)
 - \files_\cookies.txt (PEHSTR_EXT)
 - \_Files\_Cookies\google_chrome.txt (PEHSTR_EXT)
 - \files_\cookies\google_chrome_profile_2.txt (PEHSTR_EXT)
 - \files_\cryptocurrency\ (PEHSTR_EXT)
 - \_Files\_Wallet\ (PEHSTR_EXT)
 - .sqlite (PEHSTR_EXT)
 - .json (PEHSTR_EXT)
 - UserName (ComputerName): %wS (PEHSTR_EXT)
 - @user123311a_crypted.exe (PEHSTR_EXT)
 - /9PAw4fxuPprSD (PEHSTR_EXT)
 - bgfdfgdf.exe (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - bZGtARYPF\AeWG5 (PEHSTR_EXT)
 - .5bi1k2 (PEHSTR_EXT)
 - .FYykpDc (PEHSTR_EXT)
 - aspr_keys.ini (PEHSTR_EXT)
 - hhiuew33.com (PEHSTR_EXT)
 - fj4ghga23_fsa.txt (PEHSTR_EXT)
 - .QhE6kte (PEHSTR_EXT)
 - DelNodeRunDLL32 (PEHSTR_EXT)
 - TEMP\IXP000.TMP (PEHSTR_EXT)
 - root\SecurityCenter2 (PEHSTR_EXT)
 - schtasks.exe /delete /f /tn Pirate (PEHSTR_EXT)
 - .loathli (PEHSTR_EXT)
 - .ligamen (PEHSTR_EXT)
 - goo.gl/vT7idg (PEHSTR_EXT)
 - .u0mc0Dc (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - pUeAwDi7ERHX7K3xuf.Cg5bP5uCSMZg0q9JHB (PEHSTR_EXT)
 - tiny.one/cya7dmsu (PEHSTR_EXT)
 - PortableApps.com (PEHSTR_EXT)
 - MANTCVSRVXBYGHIBPS@AWDRT.COM (PEHSTR_EXT)
 - powershell.exe Invoke-WebRequest -Uri (PEHSTR_EXT)
 -  rss.fbvidcdn.com/dl/seed/ -OutFile '%appdata%\s-installer.exe (PEHSTR_EXT)
 - /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (PEHSTR_EXT)
 - C:\TEMP\config.cmd (PEHSTR_EXT)
 - del /F /Q "%appdata%\s-installer.exe (PEHSTR_EXT)
 - C:\Users\OS\Desktop\scseed\Release\scseed.pdb (PEHSTR_EXT)
 - GetCompressedFileSizeW (PEHSTR_EXT)
 - api.ip.sb/ip (PEHSTR_EXT)
 - SOFTWARE\Clients\StartMenuInternet (PEHSTR_EXT)
 - {0}\FileZilla\recentservers.xml (PEHSTR_EXT)
 - user.config (PEHSTR_EXT)
 - cookies.sqlite (PEHSTR_EXT)
 - waasflleasft.datasf (PEHSTR_EXT)
 - AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext (PEHSTR_EXT)
 - MarsStealer8_cracked_by_ (PEHSTR_EXT)
 - 1\2h2 (PEHSTR_EXT)
 - windows\SysWOW64\Rwymoudle (PEHSTR_EXT)
 - GetComputerNameA (PEHSTR_EXT)
 - tm_ScrollBottomTimer (PEHSTR_EXT)
 - Appearance.BackGroundFill.Glow (PEHSTR_EXT)
 - CommandLineUpdate (PEHSTR_EXT)
 - DownloadAndExecuteUpdate (PEHSTR_EXT)
 - 29.47.75.23 (PEHSTR_EXT)
 - 22.82.74.73 (PEHSTR_EXT)
 - C:\Users\ringz\Documents\xRAT 2.0\xRAT-master\C\obj\Release\Client.pdb (PEHSTR_EXT)
 - mastodon.online (PEHSTR_EXT)
 - t.me/hyipsdigest (PEHSTR_EXT)
 - /c timeout /nobreak /t (PEHSTR_EXT)
 - 37.0.11.164 (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - $$$ be smart. use easycrypt $$$ (PEHSTR_EXT)
 - Koasofk.exe (PEHSTR_EXT)
 - LimerBoy/StormKitty (PEHSTR_EXT)
 - RobloxStudioBrowser\roblox.com (PEHSTR_EXT)
 - Fuck.That.Bitch.Karen.I.Take.Her.To.Court (PEHSTR_EXT)
 - \passwords.txt (PEHSTR_EXT)
 - cdn.discordapp.com/attachments (PEHSTR_EXT)
 - obj\Debug\fudloader.pdb (PEHSTR_EXT)
 - main.HideWindow (PEHSTR_EXT)
 - main.createWallets (PEHSTR_EXT)
 - cryptoStealer/proccess64/main.go (PEHSTR_EXT)
 - proccess64/domain/App/replace.ReplaceWallet (PEHSTR_EXT)
 - github.com/go-telegram-bot-api/telegram-bot-api (PEHSTR_EXT)
 - github.com/atotto/clipboard.WriteAll (PEHSTR_EXT)
 - github.com/AllenDang/w32 (PEHSTR_EXT)
 - github.com/technoweenie/multipartstreamer (PEHSTR_EXT)
 - InitializeComponent (PEHSTR_EXT)
 - tr e nu niSODom .ed (PEHSTR_EXT)
 - \Downloads\NewPublish\ (PEHSTR_EXT)
 - meta\meta\obj\Release\netcoreapp3.1\win-x86\meta.pdb (PEHSTR_EXT)
 - Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - System.Net.Requests (PEHSTR_EXT)
 - ksryytvdmkkaxxozluwqswaujmlktkpfpjplwfonrjbxpifdmfplmintz (PEHSTR_EXT)
 - stealer send log (PEHSTR_EXT)
 - key.log (PEHSTR_EXT)
 - 45.12.212.110 (PEHSTR_EXT)
 - rundll32.exe shell32.dll,#61 (PEHSTR_EXT)
 - cmd.exe /c start  (PEHSTR_EXT)
 - chrome.exe (PEHSTR_EXT)
 - profiles.ini (PEHSTR_EXT)
 - firefox.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (PEHSTR_EXT)
 - Could not get a handle to ntdll.dll (PEHSTR_EXT)
 - puklDEVAP9DSfvFWJSWipTSIRSDn8HfxlsEZdqCU3qVJFc13 (PEHSTR_EXT)
 - OnStealer (PEHSTR_EXT)
 - testtttt.ps1 (PEHSTR_EXT)
 - Powershell.exe -executionpolicy remotesigned -File (PEHSTR_EXT)
 - System_INFO.txt (PEHSTR_EXT)
 - netstat.txt (PEHSTR_EXT)
 - %username%_Capture.jpg (PEHSTR_EXT)
 - programms.txt (PEHSTR_EXT)
 - \VMWare\ (PEHSTR_EXT)
 - \oracle\virtualbox guest additions\ (PEHSTR_EXT)
 - System.Text (PEHSTR_EXT)
 - \Google\Chrome\User Data (PEHSTR_EXT)
 - \Default\Login Data (PEHSTR_EXT)
 - \Local State (PEHSTR_EXT)
 - \VertexSpooferFullSRC.pdb (PEHSTR_EXT)
 - Setup=doenerium-win.exe (PEHSTR_EXT)
 - Growtopia_Save_Stealer (PEHSTR_EXT)
 - rundll32.exe %sadvpack.dll,DelNodeRunDLL32 (PEHSTR_EXT)
 - rundll32.exe %s,InstallHinfSection %s (PEHSTR_EXT)
 - cmd /c cmd < Desk.xlsx & ping -n 5 localhost (PEHSTR_EXT)
 - _/C_/Users/ (PEHSTR_EXT)
 - /Desktop/stealer_v (PEHSTR_EXT)
 - 77.73.133.88 (PEHSTR_EXT)
 - cmd /c cmd < Aging.adt & ping -n 5 localhost (PEHSTR_EXT)
 - nslookup / (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\App Paths (PEHSTR_EXT)
 - stealer_v (PEHSTR_EXT)
 - screenshot.CaptureScreen (PEHSTR_EXT)
 - ChromeCommonCookie (PEHSTR_EXT)
 - time.Sleep (PEHSTR_EXT)
 - Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - Browser\User Data\Local State (PEHSTR_EXT)
 - ImBetter.pdb (PEHSTR_EXT)
 - \Mozilla\Firefox\Profiles (PEHSTR_EXT)
 - 080l48aGZULitgNo34.NQQ8oiuE0BojERB6dZ (PEHSTR_EXT)
 - BlackNET Password Stealer Plugin (PEHSTR_EXT)
 - PasswordStealer.dll (PEHSTR_EXT)
 - D:\Mktmp\Amadey\StealerDLL (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \Opera Software\Opera Stable\Login Data (PEHSTR_EXT)
 - \Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - \Chedot\User Data\Default\Login Data (PEHSTR_EXT)
 - \CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Monero\wallets\ (PEHSTR_EXT)
 - logins.json (PEHSTR_EXT)
 - Cinoshi.pdb (PEHSTR_EXT)
 - Ionic.Zip (PEHSTR_EXT)
 - Silk.pdb (PEHSTR_EXT)
 - Confuser.Core 1.6.0+447341964f (PEHSTR_EXT)
 - Autarky.exe (PEHSTR_EXT)
 - HttpUtility (PEHSTR_EXT)
 - HttpServerUtility (PEHSTR_EXT)
 - Chevron.exe (PEHSTR_EXT)
 - windows-1251, CommandLine (PEHSTR_EXT)
 - net.tcp:// (PEHSTR_EXT)
 - Gl.h3.resources (PEHSTR_EXT)
 - PictureGame.Resources.resources (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - os_crypt.encrypted_key (PEHSTR_EXT)
 - fGtH.exe (PEHSTR_EXT)
 - Profiles\Outlook (PEHSTR_EXT)
 - Thunderbird\Profiles (PEHSTR_EXT)
 - Confuser.Core (PEHSTR_EXT)
 - Markdig.Resolver (PEHSTR_EXT)
 - \StillerRolton.pdb (PEHSTR_EXT)
 - C:\Users\Ahmed\Documents\Visual Studio 2010\Projects\pla\Bootmgr\obj\x86\Debug\Bootmgr.pdb (PEHSTR_EXT)
 - C:\Boot\Bootmgr.com (PEHSTR_EXT)
 - c:\boot\me.dll (PEHSTR_EXT)
 - log.txt (PEHSTR_EXT)
 - B.imports (PEHSTR_EXT)
 - os_c576xedrypt.encry576xedpted_key (PEHSTR_EXT)
 - github.com/phil-fly/generate (PEHSTR_EXT)
 - api.telegram.org/bot (PEHSTR_EXT)
 - Shell.Application (PEHSTR_EXT)
 - @RD /S /Q (PEHSTR_EXT)
 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ (PEHSTR_EXT)
 - quanlykho.Properties (PEHSTR_EXT)
 - NewStealer (PEHSTR_EXT)
 - GrabScreen (PEHSTR_EXT)
 - -ExecutionPolicy Bypass (PEHSTR_EXT)
 - sitemanager.xml (PEHSTR_EXT)
 - ThunderBirdContacts.txt (PEHSTR_EXT)
 - MailContacts.txt (PEHSTR_EXT)
 - SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command (PEHSTR_EXT)
 - accounts.xml (PEHSTR_EXT)
 - _gZhD9cAiSBw2p.Properties.Resources.resources (PEHSTR_EXT)
 - out.dll (PEHSTR_EXT)
 - UPlRTxsojvoUKyY0hk.GYMnI7gQeQEeu4Om6t (PEHSTR_EXT)
 - s05AUpDFWLlXHdHxXq.oivCwUJSNiehmVIOAh (PEHSTR_EXT)
 - Corral.g.resources (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/651522382200176690/660984792061313024/mapper_3.exe (PEHSTR_EXT)
 - cmd.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - C:\\Windows\\IME\\mapper.exe (PEHSTR_EXT)
 - Growtopia-Full-Fud-Stealer-master\obj\Debug\Fud.pdb (PEHSTR_EXT)
 - discord.com/api/webhooks/1007285810468507658/g4q5Mp (PEHSTR_EXT)
 - user UserDefender /delete (PEHSTR_EXT)
 - add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v UserDefender /t REG_DWORD /d 0 /reg:64 /f (PEHSTR_EXT)
 - \Coinomi\Coinomi\wallets (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\CentralProcessor\0 (PEHSTR_EXT)
 - \PC\source\repos\Stealer try (PEHSTR_EXT)
 - Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION (PEHSTR_EXT)
 - fyi/Blogtion.msi (PEHSTR_EXT)
 - ppCmdLine=/QN /norestart (PEHSTR_EXT)
 - encrypted_key":"(.+?) (PEHSTR_EXT)
 - Pg\:a (SNID)
 - atomic.QSY_zrh (PEHSTR_EXT)
 - - Screen Resoluton: (PEHSTR_EXT)
 - Exela (PEHSTR_EXT)
 - \Microsoft.NET\Framework\ (PEHSTR_EXT)
 -  \AppLaunch.exe (PEHSTR_EXT)
 - .xsph.ru/ (PEHSTR_EXT)
 - \vanitygen\vanitykitty\btcgen\obj\Release\btcgen.pdb (PEHSTR_EXT)
 - btcgen.Properties.Resources (PEHSTR_EXT)
 - btcgen.exe (PEHSTR_EXT)
 - TEXTBIN.NET/raw (PEHSTR_EXT)
 - /VERYSILENT /SP- (PEHSTR_EXT)
 - ShellCode33/VM-Detection (PEHSTR_EXT)
 - gary-macos-stealer-malware/agent/win (PEHSTR_EXT)
 - Bunny/TaskHandler.php (PEHSTR_EXT)
 - Run Stealer (PEHSTR_EXT)
 - Echoer.php (PEHSTR_EXT)
 - notepad.exe (PEHSTR_EXT)
 - honey@pot.com.pst (PEHSTR_EXT)
 - FileZillaStealer (PEHSTR_EXT)
 - upload_screenshot_c2 (PEHSTR_EXT)
 - dKAoMzVdoGMRAuUpnzHLYIx.dll (PEHSTR_EXT)
 - bFISQFXZrlhowSppjMcUMEWMVO.dll (PEHSTR_EXT)
 - GET %s HTTP/1.1 (PEHSTR_EXT)
 - sxWsBcgMSxRdUCKXevfJKgAGAKoM.dll (PEHSTR_EXT)
 - qIadkkJWSlcNQdQofhpMzxrd.dll (PEHSTR_EXT)
 - LsVgHFhAfthrvrwvVQnXVYBStlK.dll (PEHSTR_EXT)
 - thoseintroductory.exe (PEHSTR_EXT)
 - callcustomerpro.exe (PEHSTR_EXT)
 - GPUView.pdb (PEHSTR_EXT)
 - Binance Airdrop_.exe (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - error_correction_update_check.My.Resources (PEHSTR_EXT)
 - installation_solution_for_use.My.Resources (PEHSTR_EXT)
 - .vuia3 (PEHSTR_EXT)
 - writerfunctionpro.exe (PEHSTR_EXT)
 - timeprogrammer.exe (PEHSTR_EXT)
 - TestFiles\AllMessages.txt (PEHSTR_EXT)
 - ://zdv.life/downloader.exe (PEHSTR_EXT)
 - 5nOpcoOp;nOpAoOpCoOpCoOpCoOPCo/ (PEHSTR_EXT)
 - System.Security.Cryptography.HMACMD5 (PEHSTR_EXT)
 - ICryptoTransformExecute (PEHSTR_EXT)
 - \AppData\Local\Temporary Projects\WindowsFormsApp1\obj\Debug\iTalk.pdb (PEHSTR_EXT)
 - gabkauric@gmail.com (PEHSTR_EXT)
 - smtp.gmail.com (PEHSTR_EXT)
 - RobloxLogin__Totaly_Legit_.Properties.Resources (PEHSTR_EXT)
 - http://bkp.myftp.org/compras/gate.php (PEHSTR_EXT)
 - \ChromePasswords.txt (PEHSTR_EXT)
 - \InternetExplorer\IEPasswords.txt (PEHSTR_EXT)
 - stealer.pdb (PEHSTR_EXT)
 - canary.discord.com/api/webhooks/1069222681557336064/ (PEHSTR_EXT)
 - discord.com/api/webhooks/837762564246601738/ (PEHSTR_EXT)
 - password-crypted.cockygrabber (PEHSTR_EXT)
 - \Temporary\EdgePasswords.txt (PEHSTR_EXT)
 - \Temporary\EdgeCookies.txt (PEHSTR_EXT)
 - \Temporary\ChromePasswords.txt (PEHSTR_EXT)
 - \Temporary\ChromeCookies.txt (PEHSTR_EXT)
 - \Temporary\OperaPasswords.txt (PEHSTR_EXT)
 - taskkill /im System.dll (PEHSTR_EXT)
 - REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f (PEHSTR_EXT)
 - REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\IMVU\username\ (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\IMVU\password\ (PEHSTR_EXT)
 - [LOG].txt (PEHSTR_EXT)
 - C:\KFJD947DHC.exe (PEHSTR_EXT)
 - GoStealer (PEHSTR_EXT)
 - hackirby/skuld/ (PEHSTR_EXT)
 - BrookStealer (PEHSTR_EXT)
 - browser.Credential (PEHSTR_EXT)
 - Ay3Info.exe (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - \.\Global\oreans32 (PEHSTR_EXT)
 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 (PEHSTR_EXT)
 - RATTE/RATTEgo (PEHSTR_EXT)
 - gorilla/websocket (PEHSTR_EXT)
 - main.BotToken (PEHSTR_EXT)
 - eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0. (PEHSTR_EXT)
 - password.txt (PEHSTR_EXT)
 - ziggy.Properties.Resources (PEHSTR_EXT)
 - C:\Program Files (x86)\Windows Defender\MpHeadlessRun.exe (PEHSTR_EXT)
 - Application added to startup successfully. (PEHSTR_EXT)
 - stealer\x64\Release\stealer.pdb (PEHSTR_EXT)
 - key4.db (PEHSTR_EXT)
 - Weekend.exe (PEHSTR_EXT)
 - PassGrabber.exe (PEHSTR)
 - gidcon:cmd /c cmd < Lascia.aac (PEHSTR_EXT)
 - dllhost.exe (PEHSTR_EXT)
 - Poverty is the parent of crime. (PEHSTR_EXT)
 - - ScreenSize: {lWidth=%d, lHeight=%d} (PEHSTR_EXT)
 - load_world.exe (PEHSTR_EXT)
 - live_stream_from_cosmos_events_app.exe (PEHSTR_EXT)
 - Account/Login (PEHSTR_EXT)
 - WebMatrix.WebData.Resources.WebDataResources (PEHSTR_EXT)
 - Wvqzdswh.Properties.Resources (PEHSTR_EXT)
 - module.teleg (PEHSTR)
 - %temp%\GetAdmin.vbs (PEHSTR)
 -  start /B call OBF20x-stealer.bat (PEHSTR)
 - EmbeddedSQLiteDemo.pdb (PEHSTR)
 - Browsers\BroweserInfo.txt (PEHSTR_EXT)
 - Ethereum\keystore (PEHSTR_EXT)
 - AtlantidaStealer (PEHSTR_EXT)
 - Exodus\Local Storage\leveldb (PEHSTR_EXT)
 - \Binance\*.json (PEHSTR_EXT)
 - INZStealer.exe (PEHSTR_EXT)
 - LoaderV1.Form1.resources (PEHSTR_EXT)
 - \First.pdb (PEHSTR_EXT)
 - \RegAsm.exe (PEHSTR_EXT)
 - remisat.com.uy (PEHSTR_EXT)
 - Umbral.payload.exe (PEHSTR)
 - Umbral Stealer Payload (PEHSTR)
 - .rsrc (PEHSTR_EXT)
 - /SILENT (PEHSTR_EXT)
 - Software\WinLicense (PEHSTR_EXT)
 - StealerClient (PEHSTR_EXT)
 - \\.\SIWVID (PEHSTR_EXT)
 - oreans32.sys (PEHSTR_EXT)
 - oreansx64.sys (PEHSTR_EXT)
 - HARDWARE\ACPI\DSDT\VBOX__ (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - \\.\Global\oreansx64 (PEHSTR_EXT)
 - Please, contact the software developers with the following codes. Thank you. (PEHSTR_EXT)
 - Please, contact yoursite@yoursite.com. Thank you! (PEHSTR_EXT)
 - WLNumDLLsProt (PEHSTR_EXT)
 - RestartApp.exe (PEHSTR_EXT)
 - Rich. (PEHSTR_EXT)
 - TeleSteal.Renci.SshNet.dll (PEHSTR)
 - \TeleSteal.pdb (PEHSTR)
 - \QQ.exe (PEHSTR_EXT)
 - @League of Legends.exe (PEHSTR_EXT)
 - Sapphire\obj\ (PEHSTR_EXT)
 - Yandex\YandexBrowser\User Data (PEHSTR_EXT)
 - cookies.json (PEHSTR_EXT)
 - kbinani/screenshot (PEHSTR_EXT)
 - main.antidebugger (PEHSTR_EXT)
 - main.decryptAllPasswords (PEHSTR_EXT)
 - main.decryptAllCookies (PEHSTR_EXT)
 - main.saveWindowsWallpapers (PEHSTR_EXT)
 - main.getAutofill (PEHSTR_EXT)
 - //jofilesjo.com (PEHSTR_EXT)
 - yoursite@yoursite.com. (PEHSTR_EXT)
 - NewBot.Loader (PEHSTR_EXT)
 - oFYSVYzChxVsXWmRsYqu.dll (PEHSTR_EXT)
 - tzYslkEExBzhWQjYATHOe.dll (PEHSTR_EXT)
 - OdZokoKlJenvDbhTg.dll (PEHSTR_EXT)
 - HeWSfFWuFmmMEQy.dll (PEHSTR_EXT)
 - ILLnogZyZLUtVXiOvwRHpTewBNs.dll (PEHSTR_EXT)
 - SimulationEngine.Properties.Resources (PEHSTR_EXT)
 - WFCL.SelectServer.resources (PEHSTR_EXT)
 - WFCL.pdb (PEHSTR_EXT)
 - VioletRichPlayer364David.ZODvl (PEHSTR_EXT)
 - StealerClient.exe (PEHSTR_EXT)
 - Telegram: https://t.me/RiseProSUPPORT (PEHSTR_EXT)
 - EmbeddedSQLiteDemo.exe (PEHSTR)
 - Samurai.Stealer (PEHSTR_EXT)
 - get_ComputerName (PEHSTR_EXT)
 - http://pz.wyjsq.cn/steamspeedAESpz.bin (PEHSTR_EXT)
 - http://pz.wyjsq.cn/gxrz.txt (PEHSTR_EXT)
 - =steamstorecommunitysite (PEHSTR_EXT)
 - C:\Windows\System32\drivers\etc\hosts (PEHSTR_EXT)
 - Switch-Stealer (PEHSTR_EXT)
 - AppData\Local\Temp\cfg.exe (PEHSTR_EXT)
 - TelegramStealer.exe (PEHSTR)
 - payload.bin (PEHSTR_EXT)
 - loader.bin (PEHSTR_EXT)
 - jerry.jpg (PEHSTR_EXT)
 - /server.php (PEHSTR_EXT)
 - %s%s\logins.json (PEHSTR_EXT)
 - %s%s\key4.db (PEHSTR_EXT)
 - $.vmp (PEHSTR_EXT)
 - \htdocs\ (PEHSTR_EXT)
 - \output.exe (PEHSTR_EXT)
 - \ConsoleApplication1.pdb (PEHSTR_EXT)
 - Typhon.Stealer.Software.VPN (PEHSTR_EXT)
 - Typhon.Stealer.Software.Browsers.Edge (PEHSTR_EXT)
 - Revolutionizing connectivity with cutting-edge cloud solutions. (PEHSTR_EXT)
 - OergBcaAGPSxGICMDFJxnj (PEHSTR_EXT)
 - DiscordCommand (PEHSTR_EXT)
 - Leading the future of integrated technology solutions. (PEHSTR_EXT)
 - imageclass.exe (PEHSTR_EXT)
 - Debug\Phemedrone-Stealer.pdb (PEHSTR_EXT)
 - pastebin.com/raw/LwwcrLg4 (PEHSTR_EXT)
 - Plugins\HVNCStub.dll (PEHSTR_EXT)
 - Plugins\Keylogger.exe (PEHSTR_EXT)
 - RegAsm.exe (PEHSTR_EXT)
 - Plugins\SendMemory.dll (PEHSTR_EXT)
 - discord.com/api/webhooks (PEHSTR_EXT)
 - VenomSteal.zip (PEHSTR_EXT)
 - Plugins\Logger.dll (PEHSTR_EXT)
 - passwords.json (PEHSTR_EXT)
 - UMBRAL STEALER (PEHSTR_EXT)
 - ://discord.com/api/webhooks/ (PEHSTR_EXT)
 - ://github.com/Blank-c/Umbral-Stealer (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - Project1.dll (PEHSTR_EXT)
 - main.RedirectToPayload (PEHSTR_EXT)
 - main.LoadPEModule (PEHSTR_EXT)
 - main.GetNTHdrs (PEHSTR_EXT)
 - main.AllocPEBuffer (PEHSTR_EXT)
 - main.PERawToVirtual (PEHSTR_EXT)
 - main.CreateSuspendedProcess (PEHSTR_EXT)
 - main._LoadPEModule (PEHSTR_EXT)
 - main.Resume_Thread (PEHSTR_EXT)
 - main.Write_ProcessMemory (PEHSTR_EXT)
 - main.Get_ThreadContext (PEHSTR_EXT)
 - Intel Core Inc. Trademark (PEHSTR_EXT)
 - JSylCAgIufPyrE (PEHSTR_EXT)
 - <HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" (PEHSTR_EXT)
 - window.close(); (PEHSTR_EXT)
 - </script> (PEHSTR_EXT)
 - Shroud.Properties.Resources.resources (PEHSTR_EXT)
 - runtime.stealWork (PEHSTR_EXT)
 - /Desktop/Stealer/main.go (PEHSTR_EXT)
 - h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc= (PEHSTR_EXT)
 - main.reverseString (PEHSTR_EXT)
 - type:.eq.main.Response (PEHSTR_EXT)
 - Tic_Tac_Toe.TicTacToePreview.resources (PEHSTR_EXT)
 - system.exe (PEHSTR_EXT)
 - \regex\string.rs (PEHSTR_EXT)
 - \defense\anti_dbg.rs (PEHSTR_EXT)
 - \defense\anti_vm.rs (PEHSTR_EXT)
 - \discord.rs (PEHSTR_EXT)
 - https://gitlab.com/DemoTrojan/real/-/raw/main/check.bat (MACROHSTR_EXT)
 - Shell ("cmd /c curl -L -o %APPDATA%\Pun.bat " &  (MACROHSTR_EXT)
 - / & " && %APPDATA%\Pun.bat"), vbHide (MACROHSTR_EXT)
 - curl --ssl-no-revoke -X POST "https://api.telegram.org/bot (PEHSTR_EXT)
 - JprCj82eY1e7mjrGxw.d1oAiYIBYaO9D2A9cZ (PEHSTR_EXT)
 - w5RWfKgbEirtaOLWRW.F1P6iqSIZ6HrtAgnwr (PEHSTR_EXT)
 - tLrmzJMsrWOFWmoOxcctAcCafzA.d (PEHSTR_EXT)
 - FgLHhdSuJHOQcVWHZfF.d (PEHSTR_EXT)
 - GyMAbmOFFujFiehEPZOsbV.dll (PEHSTR_EXT)
 - DkXBPNkrUIvokvAKWOOcKL.dll (PEHSTR_EXT)
 - vysLTwxigwwMGJpcQbTPB.dll (PEHSTR_EXT)
 - if(navigator.userAgent.toLocaleLowerCase().indexOf("baidu") == -1){document.title (PEHSTR_EXT)
 - .replace(new RegExp( (PEHSTR_EXT)
 - String.fromCharCode( (PEHSTR_EXT)
 - MeshEkran.DataSetler.FirmaDBListD (PEHSTR_EXT)
 - main.Md5Encode (PEHSTR_EXT)
 - main.EUkcKYTIDb (PEHSTR_EXT)
 - main.TerminateProcess (PEHSTR_EXT)
 - main.nlZMziDMqv (PEHSTR_EXT)
 - main.ResumeThread (PEHSTR_EXT)
 - main.WriteProcessMemory (PEHSTR_EXT)
 - main.Wow64SetThreadContext (PEHSTR_EXT)
 - main.GetThreadContext (PEHSTR_EXT)
 - LwNOrAxUVY/main.go (PEHSTR_EXT)
 - main.nwPXANdvbL (PEHSTR_EXT)
 - main.qWwvfeKaCT (PEHSTR_EXT)
 - back7top_managment.Resources.resources (PEHSTR_EXT)
 - main.(*ExtractBrowserProfile).zipUserData (PEHSTR_EXT)
 - .extractBrowserData (PEHSTR_EXT)
 - .copyUserData.func1 (PEHSTR_EXT)
 - .killChromeProcesses.func1 (PEHSTR_EXT)
 - ouuhltqrdxkxcfwnokiraowiforuavef.func1 (PEHSTR_EXT)
 - jbrgznwtqgjusbrusdagfssikogtkauw.func1 (PEHSTR_EXT)
 - JustABackDoor\obj\Debug\JustABackDoor.pdb (PEHSTR_EXT)
 - JustABackDoor.Executor (PEHSTR_EXT)
 - RunPowerShellCommand (PEHSTR_EXT)
 - debug.g.resources (PEHSTR_EXT)
 - psicologiaecultura.com.br (PEHSTR_EXT)
 - if ($exeName -eq "RSGame.exe") (PEHSTR_EXT)
 - main.UlhMFyDdoz (PEHSTR_EXT)
 - main.AEKCihaLRV (PEHSTR_EXT)
 - main.uydiOYgQCH.deferwrap2 (PEHSTR_EXT)
 - main.uydiOYgQCH.deferwrap1 (PEHSTR_EXT)
 - main.mOaSjsgDny.func1.Print.1 (PEHSTR_EXT)
 - test_lib/main.go (PEHSTR_EXT)
 - main.qHbLKcVFPY (PEHSTR_EXT)
 - main.BnMWnpUycO (PEHSTR_EXT)
 - main.HFdrQcLRTh (PEHSTR_EXT)
 - main.HwNcTblZxJ (PEHSTR_EXT)
 - main.khgzBwOcdS (PEHSTR_EXT)
 - main.RDF (PEHSTR_EXT)
 - main.cFVvJaclpr (PEHSTR_EXT)
 - main.oepNeSmKgT (PEHSTR_EXT)
 - main.cQPubDNZNj (PEHSTR_EXT)
 - main.neJDPbLRWD (PEHSTR_EXT)
 - main.VZCOQzehCp (PEHSTR_EXT)
 - main.WjLRMuNaor (PEHSTR_EXT)
 - main.EFTcmUgEtT (PEHSTR_EXT)
 - main.faqLSRWRlV (PEHSTR_EXT)
 - main.lnejYwfZkm (PEHSTR_EXT)
 - main.iiQhNBnnfo (PEHSTR_EXT)
 - TaskManager@stealer (PEHSTR_EXT)
 - rat\client\stealer (PEHSTR_EXT)
 - stealertest.dll (PEHSTR_EXT)
 - main.opWGippTfg.deferwrap2 (PEHSTR_EXT)
 - main.opWGippTfg.deferwrap1 (PEHSTR_EXT)
 - main.KqqAVmjanJ (PEHSTR_EXT)
 - main.fQyfTGPUtq (PEHSTR_EXT)
 - exithook/hooks.go (PEHSTR_EXT)
 - main.randSeq (PEHSTR_EXT)
 - main.KwPMHzDibl (PEHSTR_EXT)
 - main._Cfunc_wrf (PEHSTR_EXT)
 - main._RunPE (PEHSTR_EXT)
 - Poker.Properties.Resources.resources (PEHSTR_EXT)
 - AgroFarm.Properties.Resources (PEHSTR_EXT)
 - \Monero\wallet.keys (PEHSTR_EXT)
 - SOFTWARE\monero-project\monero-core (PEHSTR_EXT)
 - +)+.+0+1+3 (PEHSTR_EXT)
 - StealerDLL\x64\Release\STEALERDLL.pdb (PEHSTR_EXT)
 - Monero\wallets (PEHSTR_EXT)
 - \Users\Public\webdata\info.dat (PEHSTR_EXT)
 - WebSvc ... RegisterMachine w_sUUID (PEHSTR_EXT)
 - /C taskkill /IM %s /F (PEHSTR_EXT)
 - \Google\Chrome\Application\chrome.exe" --restore-last-session (PEHSTR_EXT)
 - dash.zintrack.com (PEHSTR_EXT)
 - /output/wallets/electrum (PEHSTR_EXT)
 - main. (PEHSTR_EXT)
 - .deferwrap2 (PEHSTR_EXT)
 - .deferwrap1 (PEHSTR_EXT)
 - .func1 (PEHSTR_EXT)
 - .func2 (PEHSTR_EXT)
 - .func3 (PEHSTR_EXT)
 - .func4 (PEHSTR_EXT)
 - .func1.Print.1 (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .rsrc    (PEHSTR_EXT)
 - .func1.Print.func1 (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - FlashSettings.txt (PEHSTR_EXT)
 - Minecraft Stealer (PEHSTR_EXT)
 - servers.dat (PEHSTR_EXT)
 - complex integrate build quick sun understand network power fast support (PEHSTR_EXT)
 - =.M&o (SNID)
 - database\wirefr\x64\HTTP\Intero.pdb (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - .00cfg (PEHSTR_EXT)
 - @.reloc (PEHSTR_EXT)
 - B.open (PEHSTR_EXT)
 - fequal.exe (PEHSTR_EXT)
 - focustask.exe (PEHSTR_EXT)
 - http://46.8.237.66/spool02/Odgcgoez.wav (PEHSTR_EXT)
 - `.rsrc (PEHSTR_EXT)
 - CreateAndRunRegistryBackupScript (PEHSTR_EXT)
 - CreateAndExecuteStartupScript (PEHSTR_EXT)
 - powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command (PEHSTR_EXT)
 - github.com (PEHSTR_EXT)
 - vel criar o arquivo .bat. (PEHSTR_EXT)
 - vel criar o arquivo .bat (PEHSTR_EXT)
 - FluentLog4Net.Properties.Resources (PEHSTR_EXT)
 - LOTO_aplikacija.FrmLoto.resources (PEHSTR_EXT)
 - /up.php (PEHSTR_EXT)
 - \Thunderbird\Profiles\ (PEHSTR_EXT)
 - /c systeminfo > (PEHSTR_EXT)
 - Wallets/Electrum (PEHSTR_EXT)
 - Wallets/ElectronCash (PEHSTR_EXT)
 - %appdata%\com.liberty.jaxx\IndexedDB (PEHSTR_EXT)
 - wallets/Ethereum (PEHSTR_EXT)
 - %localappdata%\Coinomi (PEHSTR_EXT)
 - lid=%s&j=%s&ver=4.0 (PEHSTR_EXT)
 - TeslaBrowser/5.5 (PEHSTR_EXT)
 - Screen.png (PEHSTR_EXT)
 - Screen Resoluton: (PEHSTR_EXT)
 - POST /api HTTP/1.1 (PEHSTR_EXT)
 - %appdata%\com.liberty.jaxx (PEHSTR_EXT)
 - Mail Clients/TheBat (PEHSTR_EXT)
 - Mail Clients/Pegasus (PEHSTR_EXT)
 - Applications/Telegram (PEHSTR_EXT)
 - Applications/1Password (PEHSTR_EXT)
 - Wallets/Daedalus (PEHSTR_EXT)
 - appdata\exodus (PEHSTR_EXT)
 - appdata\binance (PEHSTR_EXT)
 - get-wmiobject-classwin32_computersystem (PEHSTR_EXT)
 - webextension@metamask.io (PEHSTR_EXT)
 - Monero\wallet.keys (PEHSTR_EXT)
 - .func6 (PEHSTR_EXT)
 - .func6.1 (PEHSTR_EXT)
 - .func5 (PEHSTR_EXT)
 - .func5.1 (PEHSTR_EXT)
 - .func4.1 (PEHSTR_EXT)
 - .func3.1 (PEHSTR_EXT)
 - .func2.1 (PEHSTR_EXT)
 - .func8 (PEHSTR_EXT)
 - .func7 (PEHSTR_EXT)
 - tsrnKMMRWaSmgIGBadTmRDVK.dll (PEHSTR_EXT)
 - EMgVkXRBlViHxiKJoGXomDnkozkr.dll (PEHSTR_EXT)
 - nxtSvXVgJXelyGLBfuddwnihiSLb.dll (PEHSTR_EXT)
 - wDSDpeHhJZHHlukYvJFvIbzlFEz.dll (PEHSTR_EXT)
 - QrUrwtPcnxxkwnxalgzJPWVFgTlT.dll (PEHSTR_EXT)
 - F4A685CA111882879036.g.resources (PEHSTR_EXT)
 - rKWJTiBuK1FSkuZvDy.XM7D23CHuvbooqaBrU (PEHSTR_EXT)
 - YHg8aAJxoeft8ja7nM.yJ3itPKfvVOmJkkoc8 (PEHSTR_EXT)
 - C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\ (PEHSTR_EXT)
 - powershell -Command "Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - powershell.exe -c Invoke-WebRequest -Uri (PEHSTR_EXT)
 - https://badlarrysguitars.com (PEHSTR_EXT)
 - TEMP=C:\TEMP (PEHSTR_EXT)
 - AfSdNM6/46ObIJJmWHHvpVJ (PEHSTR_EXT)
 - ProcessHacker.exe (PEHSTR_EXT)
 - procexp.exe (PEHSTR_EXT)
 - x64dbg.exe (PEHSTR_EXT)
 - Stealer.Edge (PEHSTR)
 - Yz]hJVaoKI[g}AmOezfXVVK|HOeaYV]TAT\EY@ (PEHSTR_EXT)
 - fnAti[t\Hmav (PEHSTR_EXT)
 - yYnGNxeMh{fgoxETJ{fbeJtza\YccxNEmxnhhYvaI (PEHSTR_EXT)
 - Account_Panel.Properties.Resources (PEHSTR_EXT)
 - JYM_Project.Properties.Resources.resources (PEHSTR_EXT)
 - ENCRYPTED:CPB7ti0A5zas/0dF4XBKzDiUIfmQ5RgrLQvDrYCST4M= (PEHSTR_EXT)
 - 88.119.167.239 (PEHSTR_EXT)
 - \Shell\Open\Command (PEHSTR_EXT)
 - https://www.chirreeirl.com/wp-panel/uploads/Wlvdlivs.mp3 (PEHSTR_EXT)
 - user_pref("extensions.webextensions.uuids (PEHSTR_EXT)
 - steamcommunity.com (PEHSTR_EXT)
 - RstrtMgr.DLL (PEHSTR_EXT)
 - Tm5McYSCxHrGi4S+xs0dRKxy+8/OKxRNXx1SEPQEI804Dz4Y8PunFang (PEHSTR_EXT)
 - TextForm\obj\Debug\TextForm.pdb (PEHSTR_EXT)
 - Ocean-ac.pdb (PEHSTR_EXT)
 - Taskkill Executed (PEHSTR_EXT)
 - keyauth.win (PEHSTR_EXT)
 - stealer_bot (PEHSTR_EXT)
 - Dwasakj.Properties.Resources (PEHSTR_EXT)
 - file:/// (PEHSTR_EXT)
 - main.CocLYFOOoa (PEHSTR_EXT)
 - main.lFDfigPOFq (PEHSTR_EXT)
 - main.CONTEXT (PEHSTR_EXT)
 - main.ISLAdTJUKL (PEHSTR_EXT)
 - PirateStealerBTWapplication (PEHSTR_EXT)
 - I02Op2e6ZD52OJInVolF/WhWwGUgukvawTLHcS4qp (PEHSTR_EXT)
 - PWGVuoIBdb/core_injector.go (PEHSTR_EXT)
 - PWGVuoIBdb/injection.go (PEHSTR_EXT)
 - celestialC.Stealer.FTP (PEHSTR_EXT)
 - celestialC.Stealer.Messenger.Discord (PEHSTR_EXT)
 - /svcstealer/get.php (PEHSTR_EXT)
 - 185.81.68.15 (PEHSTR_EXT)
 - /c cd C:\Windows\Temp\ & curl -o (PEHSTR_EXT)
 - Venom RAT + HVNC + Stealer + Grabber.exe.licenses (PEHSTR_EXT)
 - Charter.exe (PEHSTR_EXT)
 - bihjfosihuwgighuzhdc.tawor33971.workers.dev (PEHSTR_EXT)
 - $screenshot_path = "$env:USERPROFILE\AppData\Local\Temp\screenshot.png (PEHSTR_EXT)
 - ratnew.ps1 (PEHSTR_EXT)
 - ghhhh.ps1 (PEHSTR_EXT)
 - 94.159.113. (PEHSTR_EXT)
 - Runtine Broker.exe (PEHSTR)
 - kernel32.dll (PEHSTR)
 - Umbral Stealer (PEHSTR_EXT)
 - \Hijack\Release\SPIFilter.pdb (PEHSTR_EXT)
 - "p": "%appdata%\\Ethereum", (PEHSTR_EXT)
 - "p": "%appdata%\\Bitcoin\wallets", (PEHSTR_EXT)
 - "p": "%localappdata%\\Microsoft\\Edge\\User Data", (PEHSTR_EXT)
 - "z": "Wallets/Bitcoin core", (PEHSTR_EXT)
 - "z": "Wallets/DashCore", (PEHSTR_EXT)
 - "n": "chrome.exe", (PEHSTR_EXT)
 - constructor or from DllMain (PEHSTR_EXT)
 - @.idata (PEHSTR_EXT)
 - nss3.dll (PEHSTR_EXT)
 - Prysmax Stealer Cookies (PEHSTR_EXT)
 - Windows DefenderC:\Program Files\Windows DefenderKasperskyC:\Program Files (x86)\Kaspersky LabAvast (PEHSTR_EXT)
 - LOCALAPPDATAsrc/modules/cookies.rs (PEHSTR_EXT)
 - chromeGoogle\Chrome\Application\chrome.exeGoogle\Chrome\User Dataedge (PEHSTR_EXT)
 - schtasks/Delete/TN/Create/SC/RLHIGHEST/RUNT AUTHORITY\SYSTEM/TR[CLIPPER] (PEHSTR_EXT)
 - cmd/C96.9.125.200 (PEHSTR_EXT)
 - Users\Public\Libraries\systemhelper.exe (PEHSTR_EXT)
 - revshell.pdb (PEHSTR_EXT)
 - aeblfdkhhhdcdjpifhhbdiojplfjncoa (PEHSTR_EXT)
 - www.new.eventawardsrussia.com (PEHSTR_EXT)
 - src\executable_loader.rs (PEHSTR)
 - WinHttpWriteData (PEHSTR_EXT)
 - Failed to set proxy blanket. (PEHSTR_EXT)
 - Decryption failed. Last error: (PEHSTR_EXT)
 - \Google\Chrome\User Data\Local State (PEHSTR_EXT)
 - powershell -Command "Invoke-WebRequest -Uri (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb (PEHSTR_EXT)
 - %s\wallet_dump_%s (PEHSTR_EXT)
 - Credentials/Microsoft_Mail.txt (PEHSTR_EXT)
 - Software\Microsoft\Office\%s\Outlook\Profiles\Outlook (PEHSTR_EXT)
 - %s\katz_ontop.dll (PEHSTR_EXT)
 - 62.60.226.191 (PEHSTR_EXT)
 - ExecutarMetodoVAI (PEHSTR_EXT)
 - caminhovbs (PEHSTR_EXT)
 - celestialC.Properties (PEHSTR_EXT)
 - get_AllScreens (PEHSTR_EXT)
 - ScreenToClient (PEHSTR_EXT)
 - ComputerInfo (PEHSTR_EXT)
 - /.exe" -Force (PEHSTR_EXT)
 - ExecutionPolicyRead after Close (PEHSTR_EXT)
 - 127.0.0.1:53 (PEHSTR_EXT)
 - Command (PEHSTR_EXT)
 - killing Cmdexe (PEHSTR_EXT)
 - Bot/New/Launcher (PEHSTR_EXT)
 - Data\Armory (PEHSTR_EXT)
 - \FileZilla\recentservers.xml (PEHSTR_EXT)
 - \wallet.dat (PEHSTR_EXT)
 - Wallets\Atomic\Local Storage\leveldb (PEHSTR_EXT)
 - Wallets\Ethereum (PEHSTR_EXT)
 - \SOFTWARE\Bitcoin\Bitcoin-Qt (PEHSTR_EXT)
 - Wallets\Zcash (PEHSTR_EXT)
 - \TEMP\BOFUPMJWUSFVSNIBDJEE (PEHSTR_EXT)
 - Wallets\Bytecoin (PEHSTR_EXT)
 -  .[P| (PEHSTR_EXT)
 - Hh .[o (PEHSTR_EXT)
 - Js) (SNID)
 - StealerBot. (PEHSTR_EXT)
 - /ISPR/ (PEHSTR_EXT)
 - TEZUV0JVVExe (PEHSTR_EXT)
 - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdater /t REG_SZ /d "%s" /f (PEHSTR_EXT)
 - cmd.exe /c (PEHSTR_EXT)
 - myth.cocukporno.lol/screen | Victim (PEHSTR_EXT)
 - ?a=http&dev=1& (PEHSTR_EXT)
 - shell_exec($c) (PEHSTR_EXT)
 - \Local Storage\leveldb (PEHSTR_EXT)
 - webhook.site (PEHSTR_EXT)
 - \discordcanary (PEHSTR_EXT)
 - \Lightcord (PEHSTR_EXT)
 - \discordptb (PEHSTR_EXT)
 - main.decryptData (PEHSTR_EXT)
 - shellCommand (PEHSTR_EXT)
 - sendScreen (PEHSTR_EXT)
 - salat/main (PEHSTR_EXT)
 - \\.\Oreans.vxd (PEHSTR_EXT)
 - .idata (PEHSTR_EXT)
 - SOFTWARE\WinLicense (PEHSTR_EXT)
 - DontStopIfGoingOnBatteries (PEHSTR_EXT)
 - Payload execution failed (PEHSTR_EXT)
 - DLL resource tidak ditemukan! (PEHSTR_EXT)
 - \steam\Token.txt (PEHSTR_EXT)
 - \Pc_info.txt (PEHSTR_EXT)
 - \\.\pipe\ChromeDecryptIPC_ (PEHSTR_EXT)
 - /61GM (SNID)
 - Realtek_HD_Audio_Universal_Service_Driver.exe (PEHSTR_EXT)
 - -NoProfile -ExecutionPolicy Bypass -Command " (PEHSTR_EXT)
 - p://141.98.6.130:5554/ (PEHSTR_EXT)
 - p://84.21.189.22:5554/ (PEHSTR_EXT)
 - hacker666lgbt/binaries (PEHSTR_EXT)
 - Phemedrone-Stealer (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - F_k.Q_Y.O S.z_t_u_n.7D z Xj.h.x k<_X_j fJ O.L B?.x.P.f_d)C_jE.s7 (PEHSTR_EXT)
 - H k2.lF_i7o.u_d H.c.m u.S.R_C.k_t Q.hM.ie (PEHSTR_EXT)
 - 8.1.A.8.p B_M_W.7x Da_l_S.z.4n K.8.N K,b_P.V.vha_V c3 Km k4_u3N.K x.4.O_j.o o9 E_n.y Y.s_e.Xw (PEHSTR_EXT)
 - OIv_a.O_P:m.H_I3u.R(s CT_yM q K_iOM Q rh.B Jv.n D F3 l+ j.L_H (PEHSTR_EXT)
 - Y U.r_i cVh.VZ_B Y p_h.3n.w Rg.e_H (PEHSTR_EXT)
 - z u_T_j o_R| LKp b- Z_dE t V_mx.ac: I.8c+.aM.K.8b A2_y l@ P M.9!o.n (PEHSTR_EXT)
 - D p C\.r.Js.D6.G Wv.2u.R.T+.BR_cM H.W.T&X.G.R uvz.ux_y F_q D (PEHSTR_EXT)
 - WinHTTP Uploader/1.0 (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - StealerCrypt.exe (PEHSTR_EXT)
 - .svG  (SNID)
 - #discordcanary/Local Storage/leveldb (PEHSTR)
 - 1Opera Software/Opera Stable/Local Storage/leveldb (PEHSTR)
 - 5Google/Chrome/User Data/Default/Local Storage/leveldb (PEHSTR)
 - Yandex/YandexBrowser/User Data (PEHSTR)
 - Vivaldi/User Data (PEHSTR)
 - Microsoft/Edge/User Data (PEHSTR)
 - Telegram Desktop/tdata (PEHSTR)
 - VBoxMouse.sys (PEHSTR)
 - VBoxGuest.sys (PEHSTR)
 - vmhgfs.sys (PEHSTR)
 - vmmouse.sys (PEHSTR)
 - vmci.sys (PEHSTR)
 - vmsrvc.sys (PEHSTR)
 -  SOFTWARE\WOW6432Node\Valve\Steam (PEHSTR)
 - Cookies.txt (PEHSTR)
 - system_summary.txt (PEHSTR)
 - http://api.ipify.org (PEHSTR)
 - Discord_Tokens.txt (PEHSTR)
 - screenshot.png (PEHSTR)
 - Passwords.txt (PEHSTR)
 - Reflective DLL Process Injection (PEHSTR_EXT)
 - chrome_decrypt.log (PEHSTR_EXT)
 - chrome_inject.exe (PEHSTR_EXT)
 - logscx\creditcards (PEHSTR_EXT)
 - logscx\Telegram (PEHSTR_EXT)
 - logscx\sensfiles.zip (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: main.exe

48f41519ad7accd125b3f4f366e79ea255f8daf69efb1d01a44e87cb74aa234e

17/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system, perform a full anti-malware scan, and remove all detected threats. Urgently reset all passwords, particularly for email, banking, and critical online services. Educate users about social engineering tactics and suspicious attachments/links.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 17/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

PWS:MSIL/Stealer!rfn - Windows Defender Threat Analysis