Trojan:Script/Stealer!AMTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Script/Stealer!AMTB

Trojan:Script/Stealer!AMTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Script/Stealer!AMTB

Classification:

Type:Trojan

Platform:Script

Family:Stealer

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!AMTB

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Script platform, family Stealer

Summary:

This is a script-based trojan stealer that uses social engineering tactics, such as deceptive screensaver lures, for initial infection. It is designed to capture sensitive information through keylogging and by targeting credentials from specific applications like instant messengers and email clients, with capabilities to communicate with external servers for data exfiltration or updates.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - /Sexy Screensaver For You, delivered by a friend (PEHSTR)
 - BCheck what i found. Its saved in PIF format (Picture image Format) (PEHSTR)
 - #Someone sent you a sexy screensaver (PEHSTR)
 - autoemail@screensaver.com (PEHSTR)
 - MSNPasswordStealer_Setup.exe (PEHSTR)
 - MSNHack.exe (PEHSTR)
 - AOL_Hack.exe (PEHSTR)
 - AOL_Password_Stealer.exe (PEHSTR)
 - :[HTTP] Downloading File ( (PEHSTR)
 - :[HTTP] Downloading Update ( (PEHSTR)
 - :[HTTP] Downloaded (PEHSTR)
 - :[HTTP] Opened (PEHSTR)
 - :[HTTP] Failed To Open (PEHSTR)
 - :[HTTP] Download Failed (PEHSTR)
 - :[HTTP] Visit Successfull (PEHSTR)
 - :[HTTP] Visit Failed (PEHSTR)
 - $:[Keygrab] User wrote "login"; http: (PEHSTR)
 - B:[Keylogger] Max-size of logfile reached. Saved as (st.log-backup) (PEHSTR)
 - \slugsend\death-ap100s (PEHSTR)
 - \slugsend\death-apc (PEHSTR)
 - UFR_Stealer_ (PEHSTR_EXT)
 - .purple\accounts.xml (PEHSTR_EXT)
 - \The Bat!\ (PEHSTR_EXT)
 - %s%s\Account.cfn (PEHSTR_EXT)
 - C:\TEMP\win32.dll (PEHSTR)
 - https\shell\open\command (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - ;Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR)
 - Game Key - Stealer (PEHSTR)
 - UnLimited PW - Stealer (PEHSTR)
 - \pwfile.log (PEHSTR_EXT)
 - \logencrypt.log (PEHSTR_EXT)
 - Codesoft PW Stealer (PEHSTR_EXT)
 - FTP Password Stealer (PEHSTR_EXT)
 - \Temp\u16event.html (PEHSTR)
 - @Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (PEHSTR)
 - Passport.Net\* (PEHSTR)
 - $Software\Google\Google Talk\Accounts (PEHSTR)
 - \yahoo.ini (PEHSTR)
 - \Trillian\users\default (PEHSTR)
 - \Steam.dll (PEHSTR)
 - \Mozilla\Firefox\Profiles\ (PEHSTR)
 - :Software\Microsoft\Internet Explorer\IntelliForms\Storage2 (PEHSTR)
 - HTTPMail Password2 (PEHSTR)
 - 4Software\Microsoft\Internet Account Manager\Accounts (PEHSTR)
 - RS Stealer v (PEHSTR_EXT)
 - RS_Stealer (PEHSTR_EXT)
 - \Mozilla\Firefox\profiles.ini (PEHSTR_EXT)
 - Firefox Stealer (PEHSTR_EXT)
 - camStealer (PEHSTR_EXT)
 - HttpFlood (PEHSTR_EXT)
 - EnableDisCMD (PEHSTR_EXT)
 - EnablGameStealer (PEHSTR_EXT)
 - Screen_Stealer.Resources (PEHSTR_EXT)
 - UFR_Stealer_2310 (PEHSTR_EXT)
 - Registry-Grabbing.reg (PEHSTR_EXT)
 - StealerLog (PEHSTR_EXT)
 - UFR_Stealer_ (PEHSTR)
 - Opera\wand.dat (PEHSTR)
 - Ghisler\Total Commander (PEHSTR)
 - .purple\accounts.xml (PEHSTR)
 - Google Talk\Accounts (PEHSTR)
 - Registry-Grabbing.reg (PEHSTR)
 - dokotaaaa.hop.ru (PEHSTR)
 - UFR Stealer Report [ %s ] (PEHSTR_EXT)
 - File-Paths.txt (PEHSTR_EXT)
 - Files-Are-Copied.txt (PEHSTR_EXT)
 - ftp.front.ru (PEHSTR_EXT)
 - UFR Stealer Report (PEHSTR_EXT)
 - WCX_FTP.INI (PEHSTR_EXT)
 - Content-Type: image/jpeg; (PEHSTR_EXT)
 - ie_passwords.txt (PEHSTR_EXT)
 - /botnet/upload.php (PEHSTR_EXT)
 - Projekte\VB.NET - Papst Stealer.NET\sTUB\ (PEHSTR_EXT)
 - \Unknown Logger  (PEHSTR_EXT)
 - CD_KeysStealer (PEHSTR_EXT)
 - q=atraxstealer (PEHSTR_EXT)
 - Atrax Stealer (PEHSTR_EXT)
 - <-t6<_t2<.t.<~t*< u (PEHSTR_EXT)
 - SmartStealer Cracked (PEHSTR_EXT)
 - tradeoffer/new/?partner= (PEHSTR_EXT)
 - common,uncommon,rare,mythical,legendary,immortal (PEHSTR_EXT)
 - steamclient.dll (PEHSTR_EXT)
 - Stealer.exe (PEHSTR)
 - Stealer.Browser (PEHSTR)
 - Stealer.Common (PEHSTR)
 - Stealer.Communicator (PEHSTR)
 - Stealer.Compression (PEHSTR)
 - Stealer.ConfigManager (PEHSTR)
 - Stealer.Cryptography (PEHSTR)
 - Stealer.KeyLogger (PEHSTR)
 - Stealer.Messenger (PEHSTR)
 - Stealer.Model (PEHSTR)
 - Stealer.Annotations (PEHSTR)
 - Stealer.Properties (PEHSTR)
 - Stealer.SQLite (PEHSTR)
 - Stealer.SystemInfo (PEHSTR)
 - Stealer.Update (PEHSTR)
 - SteamStealerExtreme (PEHSTR)
 - .Item>>.GetEnumerator (PEHSTR)
 - .Item>>.get_Current (PEHSTR)
 - SteamStealerExtreme (PEHSTR_EXT)
 - jects\Stealer\Stealer\ (PEHSTR_EXT)
 - SteamStealer.Properties (PEHSTR_EXT)
 - acceptAllIncomingTrades (PEHSTR_EXT)
 - SteamStealer. (PEHSTR_EXT)
 - SteamFileStealerExtreme (PEHSTR)
 - InventoryStealer (PEHSTR_EXT)
 - SteamStealer (PEHSTR_EXT)
 - steam.exe" "%1" (PEHSTR_EXT)
 - \SteamAppData.vdf (PEHSTR_EXT)
 - \loginusers.vdf (PEHSTR_EXT)
 - \Steam Core\.src visur\ (PEHSTR_EXT)
 - SteamFileStealerExtreme (PEHSTR_EXT)
 - SteamStealer (PEHSTR)
 - Steam Stealer 5.0 (PEHSTR_EXT)
 - Stealers (PEHSTR_EXT)
 - Electrum\electrum.dat (PEHSTR_EXT)
 - multibit.wallet (PEHSTR_EXT)
 - Bitcoin\wallet.dat (PEHSTR_EXT)
 - Wallet Stealer\BWS-Stub\Release\BWS-Stub.pdb (PEHSTR_EXT)
 - StealerRunner (PEHSTR_EXT)
 - ExternalStealers (PEHSTR_EXT)
 - ScreenshotLogger (PEHSTR_EXT)
 - PasswordStealer (PEHSTR_EXT)
 - BitcoinStealer.exe (PEHSTR_EXT)
 - ProjectEvrial.Stealer (PEHSTR_EXT)
 - BitcoinStealer (PEHSTR_EXT)
 - Evrial.Stealer (PEHSTR_EXT)
 - Evrial.Hardware (PEHSTR_EXT)
 - Evrial.Cookies (PEHSTR_EXT)
 - \\.\PhysicalDrive0 (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - InfoLogs/PC (PEHSTR_EXT)
 - Windows\CurrentVersion\Run (PEHSTR_EXT)
 - .hostland.pro/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - ftp57.hostland.ru (PEHSTR_EXT)
 - BitcoinStealer.exe (PEHSTR)
 - \ProgramData (PEHSTR_EXT)
 - FacebookRobot.lib (PEHSTR_EXT)
 - Obj\Release\SharpX.pdb (PEHSTR_EXT)
 - Loki\ (PEHSTR_EXT)
 - \loki.pdb (PEHSTR_EXT)
 - ip.txt (PEHSTR)
 - System.txt (PEHSTR)
 - PasswordsList.txt (PEHSTR)
 - Browsers\Cookies (PEHSTR)
 - Browsers\History (PEHSTR)
 - moz_historyvisits.visit_date (PEHSTR)
 - \places.sqlite (PEHSTR)
 - https://www.facebook.com/ (PEHSTR)
 - #<script>bigPipe.beforePageletArrive (PEHSTR)
 - PasswordStealer (PEHSTR)
 - WinHttpReq.Send (MACROHSTR_EXT)
 - winMgmts.ExecQuery(Base64DecodeString (MACROHSTR_EXT)
 - Base64EncodeString(GetDocName & "|" & GetComputerInfo & "|" & GetOSInfo & "|" & GetAV & "|" & GetProc) (MACROHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - PStealer_FileZilla (PEHSTR_EXT)
 - Stealer_TotalCmd (PEHSTR_EXT)
 - Server\PasswordViewOnly (PEHSTR_EXT)
 - discord.com/api/webhooks/ (PEHSTR_EXT)
 - CplusplusTest.pdb (PEHSTR_EXT)
 - Discord\Local Storage\leveldb (PEHSTR_EXT)
 - Lightcord\Local Storage\leveldb (PEHSTR_EXT)
 - Opera Software\Opera Stable\Local Storage\leveldb (PEHSTR_EXT)
 - Google\Chrome\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - Microsoft\Edge\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb (PEHSTR_EXT)
 - upload_screenshot (PEHSTR)
 - http://fasterpdfinstall.xyz:10000/cookie (PEHSTR_EXT)
 - CHCookie.pdb (PEHSTR_EXT)
 - RocketXStealer (PEHSTR)
 - XO-JAM. (PEHSTR_EXT)
 - CO-JAM. (PEHSTR_EXT)
 - http://107.173.191.123/swift/Fepviueeh_Djesbqqi.jpg (PEHSTR_EXT)
 - ProcessStealer (PEHSTR)
 - BuildStealer_Click (PEHSTR)
 - No_Virus_EXE_By_Haf (PEHSTR)
 - /C choice /C Y /N /D Y /T 3 & Del " (PEHSTR_EXT)
 - /Windows/Discord (PEHSTR_EXT)
 - \BitcoinCore\wallet.dat (PEHSTR_EXT)
 - \discord\Local Storage\https_discordapp.com (PEHSTR_EXT)
 - \Browsers\Passwords.txt (PEHSTR_EXT)
 - C:\ProgramData\debug.txt (PEHSTR_EXT)
 - Stealer (PEHSTR_EXT)
 - https://discordapp.com/api/webhooks/ (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Local Storage\leveldb\ (PEHSTR_EXT)
 - \discord\Local Storage\leveldb\ (PEHSTR_EXT)
 - \LDISCORD\ (PEHSTR_EXT)
 - _Files\_AllPasswords_list.txt (PEHSTR)
 - http://u2729.mh0.ru/ (PEHSTR_EXT)
 - Passwords.txt (PEHSTR_EXT)
 - FireFox\logins.json (PEHSTR_EXT)
 - CreditCards.txt (PEHSTR_EXT)
 - Filezilla\Passwords.txt (PEHSTR_EXT)
 - VPN\ProtonVPN\Passwords.txt (PEHSTR_EXT)
 - Psi\Passwords.txt (PEHSTR_EXT)
 - Pidgin\Passwords.txt (PEHSTR_EXT)
 - BitcoinCore\wallet.dat (PEHSTR_EXT)
 - DashCore\wallet.dat (PEHSTR_EXT)
 - LitecoinCore\wallet.dat (PEHSTR_EXT)
 - Select * from Win32_ComputerSystem (PEHSTR_EXT)
 - .cctor (PEHSTR_EXT)
 - DarkStealer (PEHSTR_EXT)
 - Passwords_Edge.txt (PEHSTR_EXT)
 - //setting[@name='Password']/value (PEHSTR_EXT)
 - \Passwords_Mozilla.txt (PEHSTR_EXT)
 - echelon.txt (PEHSTR_EXT)
 - GetStealer (PEHSTR_EXT)
 - vaultcli.dll (PEHSTR)
 - passff.tar (PEHSTR)
 - cookie.tar (PEHSTR)
 - \files\Wallets (PEHSTR)
 - multidoge.wallet (PEHSTR)
 - \Exodus\exodus.wallet (PEHSTR)
 - files\passwords.txt (PEHSTR)
 - /c taskkill /im (PEHSTR)
 - AppData\Roaming\Arkei (PEHSTR_EXT)
 - Mozilla\Firefox\Profiles (PEHSTR_EXT)
 - System.Configuration (PEHSTR_EXT)
 - System.Globalization (PEHSTR_EXT)
 - System.Runtime.Serialization (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - Pillager\obj\Release\Pillager.pdb (PEHSTR_EXT)
 - Pillager.exe (PEHSTR_EXT)
 - Token-Browser-Password-Stealer-Creator (PEHSTR_EXT)
 - sendhookfile.exe (PEHSTR_EXT)
 - C:/temp/WebBrowserPassView.exe (PEHSTR_EXT)
 - System.Reflection.Emit (PEHSTR_EXT)
 - HttpResponse (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - System.Security.AccessControl (PEHSTR_EXT)
 - .babaxed (PEHSTR_EXT)
 - babaxv2.exe (PEHSTR_EXT)
 - \BABAX-Stealer\BabaxStealer v2\Babax (PEHSTR_EXT)
 - shryy32.dyy (PEHSTR)
 - /tedburke/CommandCam/master/CommandCam.exe (PEHSTR_EXT)
 - Trying create screenshot from camera (PEHSTR_EXT)
 - /LimerBoy/hackpy/master/modules/audio.zip (PEHSTR_EXT)
 - Failed to decrypt file. Wrong password! (PEHSTR_EXT)
 - \keylogs (PEHSTR_EXT)
 - /master/Stealer/Stealer/modules/Sodium.dll (PEHSTR_EXT)
 - /TelegramRAT/core/libs/AudioSwitcher.AudioApi.dll (PEHSTR_EXT)
 - Ave_Maria Stealer (PEHSTR_EXT)
 - "Content-Type: application/upload" + vbCrLf + vbCrLf (MACROHSTR_EXT)
 - Application.NormalTemplate.Path & " " & Chr(38) & " copy " &  (MACROHSTR_EXT)
 - .vbs" & " " & Chr(38) & (MACROHSTR_EXT)
 - .WriteLine "  Physical (MAC) address: " & objAdapter.MACAddress (MACROHSTR_EXT)
 -  http://csv.posadadesantiago.com/ (PEHSTR)
 - *Content-Type: application/x-zip-compressed (PEHSTR)
 - $http://%s/home/?id=%s&act=wbi&ver=%s (PEHSTR)
 - source\repos\webCreds\obj\Release\webCreds.pdb (PEHSTR_EXT)
 - screenshot.png (PEHSTR_EXT)
 - credentials.txt (PEHSTR_EXT)
 - pwd.txt (PEHSTR_EXT)
 - PasteStealer (PEHSTR_EXT)
 - \AppData\Local\Growtopia (PEHSTR_EXT)
 - echo j | del Trinity.bat (PEHSTR_EXT)
 - \AppData\Roaming\Services.exe (PEHSTR_EXT)
 - SetCompatibleTextRenderingDefault (PEHSTR_EXT)
 - RedLine.Reburn.Models (PEHSTR_EXT)
 - RedLine.Reburn.Data (PEHSTR_EXT)
 - 1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFE (PEHSTR)
 - ServerComputer (PEHSTR_EXT)
 - System.Threading (PEHSTR_EXT)
 - ParseXmlDescription (PEHSTR_EXT)
 - System.Data.SqlClient (PEHSTR_EXT)
 - System.IO.Compression (PEHSTR_EXT)
 - commandLine (PEHSTR_EXT)
 - ExecuteNonQuery (PEHSTR_EXT)
 - System.Drawing (PEHSTR_EXT)
 - System.Security.Principal (PEHSTR_EXT)
 - System.Runtime.Remoting (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - System.Net (PEHSTR_EXT)
 - System.Security.Cryptography (PEHSTR_EXT)
 - get_ExecutablePath (PEHSTR_EXT)
 - AMe8.dll (PEHSTR_EXT)
 - AMe8.My (PEHSTR_EXT)
 - AMe8.Resources.resources (PEHSTR_EXT)
 - files\outlook.txt (PEHSTR_EXT)
 - files\information.txt (PEHSTR_EXT)
 - passwords.txt (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - screenshot.jpg (PEHSTR_EXT)
 - image/jpeg (PEHSTR_EXT)
 - /c taskkill /im  (PEHSTR_EXT)
 - Cookies\%s_%s.txt (PEHSTR_EXT)
 - \Electrum-LTC\wallets (PEHSTR_EXT)
 - multidoge.wallet (PEHSTR_EXT)
 - \Comodo\Dragon\User Data (PEHSTR_EXT)
 - \Yandex\YandexBrowser\User Data (PEHSTR_EXT)
 - \Mail.Ru\Atom\User Data (PEHSTR_EXT)
 - \Microsoft\Edge\User Data (PEHSTR_EXT)
 - \CryptoTab Browser\User Data (PEHSTR_EXT)
 - ssfnname\Coinomi\wallet_db (PEHSTR_EXT)
 - \Ethereum\wallets (PEHSTR_EXT)
 - AccountInfo.txt (PEHSTR_EXT)
 - \user.configName\Exodus\exodus.wallet (PEHSTR_EXT)
 - \Monero\wallets (PEHSTR_EXT)
 - Coinomi\wallet_db (PEHSTR_EXT)
 - ROwindows defender sucksOT\SecurityCentewindows defender sucksr2 (PEHSTR_EXT)
 - CS.My.Resources (PEHSTR_EXT)
 - CS.frmParish.resources (PEHSTR_EXT)
 - CS.Report1.rdlc (PEHSTR_EXT)
 - Adamantium-Thief/master/Stealer/Stealer (PEHSTR_EXT)
 - libsodium.dll (PEHSTR_EXT)
 - Opera Software\Opera Stable (PEHSTR_EXT)
 - Google\Chrome (PEHSTR_EXT)
 - Yandex\YandexBrowser (PEHSTR_EXT)
 - Comodo\Dragon (PEHSTR_EXT)
 - Telegram.Bot (PEHSTR_EXT)
 - SELECT host_key, name, path, is_secure, expires_utc, encrypted_value, is_httponly FROM cookies (PEHSTR_EXT)
 - Dialup/RAS/VPN Passwords (PEHSTR)
 - HogStealer (PEHSTR_EXT)
 - /C choice /C Y /N /D Y /T 1 & Del (PEHSTR_EXT)
 - has been has been infected with HogStealer! (PEHSTR_EXT)
 - https://bit.ly/3987VpR (PEHSTR_EXT)
 - AStealer (PEHSTR_EXT)
 - config.dyndns (PEHSTR_EXT)
 - screenshot (PEHSTR_EXT)
 - C:\\BCRYPT.DLL (PEHSTR_EXT)
 - C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
 - \\signons.sqlite (PEHSTR_EXT)
 - recentservers.xml (PEHSTR_EXT)
 - \\Nichrome\\User Data\\ (PEHSTR_EXT)
 - \\Epic Privacy Browser\\User Data\\ (PEHSTR_EXT)
 - \\brave\\ (PEHSTR_EXT)
 - Cookies\\IE_Cookies.txt (PEHSTR_EXT)
 - files\outlook.txtfiles\\outlook.txt (PEHSTR_EXT)
 - encrypted_key":"(.*?) (PEHSTR_EXT)
 - Passwords. (PEHSTR_EXT)
 - //setting[@name='Username']/value (PEHSTR_EXT)
 - /s /t {0} (PEHSTR_EXT)
 - \Programs\Discord (PEHSTR_EXT)
 - \tokens.txt (PEHSTR_EXT)
 - Local Storage\leveldb (PEHSTR_EXT)
 - MinecraftStealer (PEHSTR_EXT)
 - connection_trace.txt (PEHSTR_EXT)
 - child_process.execSync(`{0}${{__dirname}}/{1}/Update.exe{2}`) (PEHSTR_EXT)
 - require(__dirname + '/{3}/inject.js') (PEHSTR_EXT)
 - mfa\.(\w|\d|_|-){84} (PEHSTR_EXT)
 - (\w|\d){24}\.(\w|\d|_|-){6}.(\w|\d|_|-){27} (PEHSTR_EXT)
 - discordmod.js (PEHSTR_EXT)
 - preload.js (PEHSTR_EXT)
 - inject.js (PEHSTR_EXT)
 - Decompress (PEHSTR_EXT)
 - http://awuasb09.top/download.php (PEHSTR_EXT)
 - /index.php (PEHSTR_EXT)
 - \_Files\_AllPasswords_list.txt (PEHSTR_EXT)
 - \files_\passwords.txt (PEHSTR_EXT)
 - \_Files\_AllCookies_list.txt (PEHSTR_EXT)
 - \_Files\_Cookies\google_chrome_new.txt (PEHSTR_EXT)
 - \_Files\_All_CC_list.txt (PEHSTR_EXT)
 - \_Files\_AllForms_list.txt (PEHSTR_EXT)
 - \key4.db (PEHSTR_EXT)
 - \fehS8.tmp (PEHSTR_EXT)
 - \files_\cryptocurrency (PEHSTR_EXT)
 - %AppData%\Pegas (PEHSTR_EXT)
 - \_Files\_Wallet (PEHSTR_EXT)
 - \_Files\_Screen_Desktop.jpeg (PEHSTR_EXT)
 - \_Files\_Wallet\ElectronCash (PEHSTR_EXT)
 - PYWuI5\6DNrY\tEqJaSk\ON2K9ThJCLm (PEHSTR_EXT)
 - WINMM.dll (PEHSTR_EXT)
 - Google\Chrome\User Data (PEHSTR_EXT)
 - Microsoft\Edge\User Data (PEHSTR_EXT)
 - Chromium\User Data (PEHSTR_EXT)
 - Xpom\User Data (PEHSTR_EXT)
 - Comodo\Dragon\User Data (PEHSTR_EXT)
 - Amigo\User Data (PEHSTR_EXT)
 - Orbitum\User Data (PEHSTR_EXT)
 - Bromium\User Data (PEHSTR_EXT)
 - BraveSoftware\Brave-Browser\User Data (PEHSTR_EXT)
 - Nichrome\User Data (PEHSTR_EXT)
 - RockMelt\User Data (PEHSTR_EXT)
 - 360Browser\Browser\User Data (PEHSTR_EXT)
 - Vivaldi\User Data (PEHSTR_EXT)
 - Go!\User Data (PEHSTR_EXT)
 - Sputnik\Sputnik\User Data (PEHSTR_EXT)
 - Kometa\User Data (PEHSTR_EXT)
 - uCozMedia\Uran\User Data (PEHSTR_EXT)
 - QIP Surf\User Data (PEHSTR_EXT)
 - Epic Privacy Browser\User Data (PEHSTR_EXT)
 - CocCoc\Browser\User Data (PEHSTR_EXT)
 - Password \ Pass phrase to be tested (PEHSTR_EXT)
 - Generated Password \ Passphrase (PEHSTR_EXT)
 - F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp (PEHSTR_EXT)
 - Kenneth Ives kenaso@tx.rr.com (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 (PEHSTR_EXT)
 - http\shell\open\command (PEHSTR_EXT)
 - channelinfo.pw/ (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Cookies (PEHSTR_EXT)
 - \Google\Chrome\User Data\Profile 1\Login Data (PEHSTR_EXT)
 - tpyyf.com (PEHSTR_EXT)
 - BTC Stealer (PEHSTR_EXT)
 - ^bc1[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz].*$ (PEHSTR_EXT)
 - https://api.telegram.org/bot (PEHSTR_EXT)
 - https://ipv4bot.whatismyipaddress.com/ (PEHSTR_EXT)
 - FILEMY Company (PEHSTR_EXT)
 - Capture.jpg (PEHSTR_EXT)
 - \cookies.txt (PEHSTR_EXT)
 - Invoke StealerPlugin (PEHSTR_EXT)
 - DynamicDllInvoke (PEHSTR_EXT)
 - DynamicDllModule (PEHSTR_EXT)
 - *.wallet (PEHSTR_EXT)
 - -*.lo--g (PEHSTR_EXT)
 - com.liberty.jaxx (PEHSTR_EXT)
 - shell\open\command (PEHSTR_EXT)
 - C:/temp/Passwords.txt (PEHSTR_EXT)
 - C:/temp/System_INFO.txt (PEHSTR_EXT)
 - StealerBin (PEHSTR_EXT)
 - C:/temp/finalres.vbs (PEHSTR_EXT)
 - euisfdjsxadfds7 (PEHSTR_EXT)
 - msg=No-Exes-Found-To-Run (PEHSTR_EXT)
 - /dev/random (PEHSTR_EXT)
 - bryexhsg.xyz (PEHSTR_EXT)
 - addInstall.php? (PEHSTR_EXT)
 - RunPE\obj\Debug\RunPE.pdb (PEHSTR_EXT)
 - RunPE.Resources (PEHSTR_EXT)
 - samp.dll (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - /passwd (PEHSTR_EXT)
 - SOFTWARE\SAMP (PEHSTR_EXT)
 - data\acces (PEHSTR_EXT)
 - AntiStealerByDarkP1xel (PEHSTR_EXT)
 - dddddsssdas.exe (PEHSTR_EXT)
 - ddddddas.exe (PEHSTR_EXT)
 - drivers\ui\NvSmartMax\NvSmartMaxApp (PEHSTR_EXT)
 - PureMiner_Shared\obj\Debug\ClassLibrary (PEHSTR_EXT)
 - AesCryptoServiceProvider (PEHSTR_EXT)
 - zopiv.txt (PEHSTR_EXT)
 - \mijex\ (PEHSTR_EXT)
 - kuxeyor\6\ (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - cmd /c start clr_soft.exe & start redline_.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
 - wextract.pdb (PEHSTR_EXT)
 - powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - http://hsiens.xyz (PEHSTR_EXT)
 - addInstall.php (PEHSTR_EXT)
 - addInstallImpression.php (PEHSTR_EXT)
 - myip.php (PEHSTR_EXT)
 - /cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - HKGASHSAEY_GASHSACURREGASHSANT_USGASHSAER\SoGASHSAftwGASHSAare\BrowseGASHSArOfGASHSADea\BrowseGASHSArOfDGASHSAea (PEHSTR_EXT)
 - ApRCApDRCAata\RoaRCAming (PEHSTR_EXT)
 - FAASD.FAASDexFAASDe (PEHSTR_EXT)
 - Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - OnlineLicensing.dll (PEHSTR_EXT)
 - i9Su6ghOkJi7X57wjuNwgHkQOT8EoCvP138jYo/hb44= (PEHSTR_EXT)
 - OnlineLicensing.pdb (PEHSTR_EXT)
 - Nerdbank.GitVersioning.Tasks (PEHSTR_EXT)
 - OXDK/F\pGF\[@]VpJANM ENCRYPTEDpASSWOpPP]P (PEHSTR_EXT)
 - HTTP Password (PEHSTR_EXT)
 - Software\Microsoft\Internet Account Manager (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - SteamCloudFileManagerLite.upload (PEHSTR_EXT)
 - 65.21.199.14 (PEHSTR_EXT)
 - DecompressString (PEHSTR_EXT)
 - AntiStealerByDark (PEHSTR_EXT)
 - wspath.phpwspath.phpwspath.phpwspath.php? (PEHSTR_EXT)
 - wslink.php? (PEHSTR_EXT)
 - gta_sa_exe (PEHSTR_EXT)
 - darkloader.ru (PEHSTR_EXT)
 - Codejock.FlowGraph (PEHSTR_EXT)
 - andre\RiderProjects\mApp\mApp\obj (PEHSTR_EXT)
 - mApp.pdb (PEHSTR_EXT)
 - SizeDecompressed (PEHSTR_EXT)
 - OsCrypt (PEHSTR_EXT)
 - C:\Users\USER\AppData\Roaming\System\jobs (PEHSTR_EXT)
 - get_Script (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - select * from Win32_ComputerSystem (PEHSTR_EXT)
 - 0.vbs (PEHSTR_EXT)
 - CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" (PEHSTR_EXT)
 - CommandLine "stop WinDefend" (PEHSTR_EXT)
 - https://cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - `/micrifies.jpg (PEHSTR_EXT)
 - c:\myfile.txt (PEHSTR_EXT)
 - c:\file\re.bat (PEHSTR_EXT)
 - H:\reader.exe (PEHSTR_EXT)
 - C:\Windows\reader.exe (PEHSTR_EXT)
 - C:\file\sam.zip (PEHSTR_EXT)
 - \spd123.ini (FILEPATH)
 - HashStealer (PEHSTR_EXT)
 - Antimalware Service Executable (PEHSTR_EXT)
 - https://bitbucket.org/chege3/softwarellc/downloads/ (PEHSTR_EXT)
 - .jpeg (PEHSTR_EXT)
 - test4\e104\Release\e104.pdb (PEHSTR_EXT)
 - http://test.besthotel360.com/001/puppet.Txt (PEHSTR_EXT)
 - hkernY2.dll (PEHSTR_EXT)
 - HTTP/1.1 (PEHSTR_EXT)
 - HTTP/1.0 (PEHSTR_EXT)
 - Stealer.exe (PEHSTR_EXT)
 - HttpOpenRequestW (PEHSTR_EXT)
 - http://113.212.88. (PEHSTR_EXT)
 - /Vv/resource.json (PEHSTR_EXT)
 - C:\Windows\SysWOW64\svchost.exe (PEHSTR_EXT)
 - C:\Windows\SysWOW64\rundll32.exe (PEHSTR_EXT)
 - ComputeQueue (PEHSTR_EXT)
 - Hotspot Shield 7.9.0 (PEHSTR_EXT)
 - 0@.eh_fram (PEHSTR_EXT)
 - http://lady.webnice.ru (PEHSTR_EXT)
 - http://www.rabota.ricor.ru (PEHSTR_EXT)
 - \discord\Local Storage\leveldb (PEHSTR_EXT)
 - OnStealerDone (PEHSTR_EXT)
 - Work.log (PEHSTR_EXT)
 - ZGKiHslGPo6vWnIjal.y9LylEaSct3rSferV0 (PEHSTR_EXT)
 - root\SecurityCenter (PEHSTR_EXT)
 - Administrator\Desktop\Secured\AutoRobotTradingSoftware.pdb (PEHSTR_EXT)
 - Areg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f (PEHSTR)
 - /Microsoft\Windows Defender\Real-Time Protection (PEHSTR)
 - 4Microsoft\Windows Defender\MpEngine" /v "MpEnablePus (PEHSTR)
 - \_Files\_Information.txt (PEHSTR_EXT)
 - \files_\cookies.txt (PEHSTR_EXT)
 - \_Files\_Cookies\google_chrome.txt (PEHSTR_EXT)
 - \files_\cookies\google_chrome_profile_2.txt (PEHSTR_EXT)
 - \files_\cryptocurrency\ (PEHSTR_EXT)
 - \_Files\_Wallet\ (PEHSTR_EXT)
 - .sqlite (PEHSTR_EXT)
 - .json (PEHSTR_EXT)
 - UserName (ComputerName): %wS (PEHSTR_EXT)
 - @user123311a_crypted.exe (PEHSTR_EXT)
 - /9PAw4fxuPprSD (PEHSTR_EXT)
 - bgfdfgdf.exe (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - bZGtARYPF\AeWG5 (PEHSTR_EXT)
 - .5bi1k2 (PEHSTR_EXT)
 - .FYykpDc (PEHSTR_EXT)
 - aspr_keys.ini (PEHSTR_EXT)
 - hhiuew33.com (PEHSTR_EXT)
 - fj4ghga23_fsa.txt (PEHSTR_EXT)
 - .QhE6kte (PEHSTR_EXT)
 - DelNodeRunDLL32 (PEHSTR_EXT)
 - TEMP\IXP000.TMP (PEHSTR_EXT)
 - root\SecurityCenter2 (PEHSTR_EXT)
 - schtasks.exe /delete /f /tn Pirate (PEHSTR_EXT)
 - .loathli (PEHSTR_EXT)
 - .ligamen (PEHSTR_EXT)
 - goo.gl/vT7idg (PEHSTR_EXT)
 - .u0mc0Dc (PEHSTR_EXT)
 - System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
 - pUeAwDi7ERHX7K3xuf.Cg5bP5uCSMZg0q9JHB (PEHSTR_EXT)
 - tiny.one/cya7dmsu (PEHSTR_EXT)
 - PortableApps.com (PEHSTR_EXT)
 - MANTCVSRVXBYGHIBPS@AWDRT.COM (PEHSTR_EXT)
 - powershell.exe Invoke-WebRequest -Uri (PEHSTR_EXT)
 -  rss.fbvidcdn.com/dl/seed/ -OutFile '%appdata%\s-installer.exe (PEHSTR_EXT)
 - /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (PEHSTR_EXT)
 - C:\TEMP\config.cmd (PEHSTR_EXT)
 - del /F /Q "%appdata%\s-installer.exe (PEHSTR_EXT)
 - C:\Users\OS\Desktop\scseed\Release\scseed.pdb (PEHSTR_EXT)
 - GetCompressedFileSizeW (PEHSTR_EXT)
 - api.ip.sb/ip (PEHSTR_EXT)
 - SOFTWARE\Clients\StartMenuInternet (PEHSTR_EXT)
 - {0}\FileZilla\recentservers.xml (PEHSTR_EXT)
 - user.config (PEHSTR_EXT)
 - cookies.sqlite (PEHSTR_EXT)
 - waasflleasft.datasf (PEHSTR_EXT)
 - AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext (PEHSTR_EXT)
 - MarsStealer8_cracked_by_ (PEHSTR_EXT)
 - 1\2h2 (PEHSTR_EXT)
 - windows\SysWOW64\Rwymoudle (PEHSTR_EXT)
 - GetComputerNameA (PEHSTR_EXT)
 - tm_ScrollBottomTimer (PEHSTR_EXT)
 - Appearance.BackGroundFill.Glow (PEHSTR_EXT)
 - CommandLineUpdate (PEHSTR_EXT)
 - DownloadAndExecuteUpdate (PEHSTR_EXT)
 - 29.47.75.23 (PEHSTR_EXT)
 - 22.82.74.73 (PEHSTR_EXT)
 - C:\Users\ringz\Documents\xRAT 2.0\xRAT-master\C\obj\Release\Client.pdb (PEHSTR_EXT)
 - mastodon.online (PEHSTR_EXT)
 - t.me/hyipsdigest (PEHSTR_EXT)
 - /c timeout /nobreak /t (PEHSTR_EXT)
 - 37.0.11.164 (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - $$$ be smart. use easycrypt $$$ (PEHSTR_EXT)
 - Koasofk.exe (PEHSTR_EXT)
 - LimerBoy/StormKitty (PEHSTR_EXT)
 - RobloxStudioBrowser\roblox.com (PEHSTR_EXT)
 - Fuck.That.Bitch.Karen.I.Take.Her.To.Court (PEHSTR_EXT)
 - \passwords.txt (PEHSTR_EXT)
 - cdn.discordapp.com/attachments (PEHSTR_EXT)
 - obj\Debug\fudloader.pdb (PEHSTR_EXT)
 - main.HideWindow (PEHSTR_EXT)
 - main.createWallets (PEHSTR_EXT)
 - cryptoStealer/proccess64/main.go (PEHSTR_EXT)
 - proccess64/domain/App/replace.ReplaceWallet (PEHSTR_EXT)
 - github.com/go-telegram-bot-api/telegram-bot-api (PEHSTR_EXT)
 - github.com/atotto/clipboard.WriteAll (PEHSTR_EXT)
 - github.com/AllenDang/w32 (PEHSTR_EXT)
 - github.com/technoweenie/multipartstreamer (PEHSTR_EXT)
 - InitializeComponent (PEHSTR_EXT)
 - tr e nu niSODom .ed (PEHSTR_EXT)
 - \Downloads\NewPublish\ (PEHSTR_EXT)
 - meta\meta\obj\Release\netcoreapp3.1\win-x86\meta.pdb (PEHSTR_EXT)
 - Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - System.Net.Requests (PEHSTR_EXT)
 - ksryytvdmkkaxxozluwqswaujmlktkpfpjplwfonrjbxpifdmfplmintz (PEHSTR_EXT)
 - stealer send log (PEHSTR_EXT)
 - key.log (PEHSTR_EXT)
 - 45.12.212.110 (PEHSTR_EXT)
 - rundll32.exe shell32.dll,#61 (PEHSTR_EXT)
 - cmd.exe /c start  (PEHSTR_EXT)
 - chrome.exe (PEHSTR_EXT)
 - profiles.ini (PEHSTR_EXT)
 - firefox.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (PEHSTR_EXT)
 - Could not get a handle to ntdll.dll (PEHSTR_EXT)
 - puklDEVAP9DSfvFWJSWipTSIRSDn8HfxlsEZdqCU3qVJFc13 (PEHSTR_EXT)
 - OnStealer (PEHSTR_EXT)
 - testtttt.ps1 (PEHSTR_EXT)
 - Powershell.exe -executionpolicy remotesigned -File (PEHSTR_EXT)
 - System_INFO.txt (PEHSTR_EXT)
 - netstat.txt (PEHSTR_EXT)
 - %username%_Capture.jpg (PEHSTR_EXT)
 - programms.txt (PEHSTR_EXT)
 - \VMWare\ (PEHSTR_EXT)
 - \oracle\virtualbox guest additions\ (PEHSTR_EXT)
 - System.Text (PEHSTR_EXT)
 - \Google\Chrome\User Data (PEHSTR_EXT)
 - \Default\Login Data (PEHSTR_EXT)
 - \Local State (PEHSTR_EXT)
 - \VertexSpooferFullSRC.pdb (PEHSTR_EXT)
 - Setup=doenerium-win.exe (PEHSTR_EXT)
 - Growtopia_Save_Stealer (PEHSTR_EXT)
 - rundll32.exe %sadvpack.dll,DelNodeRunDLL32 (PEHSTR_EXT)
 - rundll32.exe %s,InstallHinfSection %s (PEHSTR_EXT)
 - cmd /c cmd < Desk.xlsx & ping -n 5 localhost (PEHSTR_EXT)
 - _/C_/Users/ (PEHSTR_EXT)
 - /Desktop/stealer_v (PEHSTR_EXT)
 - 77.73.133.88 (PEHSTR_EXT)
 - cmd /c cmd < Aging.adt & ping -n 5 localhost (PEHSTR_EXT)
 - nslookup / (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\App Paths (PEHSTR_EXT)
 - stealer_v (PEHSTR_EXT)
 - screenshot.CaptureScreen (PEHSTR_EXT)
 - ChromeCommonCookie (PEHSTR_EXT)
 - time.Sleep (PEHSTR_EXT)
 - Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - Browser\User Data\Local State (PEHSTR_EXT)
 - ImBetter.pdb (PEHSTR_EXT)
 - \Mozilla\Firefox\Profiles (PEHSTR_EXT)
 - 080l48aGZULitgNo34.NQQ8oiuE0BojERB6dZ (PEHSTR_EXT)
 - BlackNET Password Stealer Plugin (PEHSTR_EXT)
 - PasswordStealer.dll (PEHSTR_EXT)
 - D:\Mktmp\Amadey\StealerDLL (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \Opera Software\Opera Stable\Login Data (PEHSTR_EXT)
 - \Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - \Chedot\User Data\Default\Login Data (PEHSTR_EXT)
 - \CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Monero\wallets\ (PEHSTR_EXT)
 - logins.json (PEHSTR_EXT)
 - Cinoshi.pdb (PEHSTR_EXT)
 - Ionic.Zip (PEHSTR_EXT)
 - Silk.pdb (PEHSTR_EXT)
 - Confuser.Core 1.6.0+447341964f (PEHSTR_EXT)
 - Autarky.exe (PEHSTR_EXT)
 - HttpUtility (PEHSTR_EXT)
 - HttpServerUtility (PEHSTR_EXT)
 - Chevron.exe (PEHSTR_EXT)
 - windows-1251, CommandLine (PEHSTR_EXT)
 - net.tcp:// (PEHSTR_EXT)
 - Gl.h3.resources (PEHSTR_EXT)
 - PictureGame.Resources.resources (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - os_crypt.encrypted_key (PEHSTR_EXT)
 - fGtH.exe (PEHSTR_EXT)
 - Profiles\Outlook (PEHSTR_EXT)
 - Thunderbird\Profiles (PEHSTR_EXT)
 - Confuser.Core (PEHSTR_EXT)
 - Markdig.Resolver (PEHSTR_EXT)
 - \StillerRolton.pdb (PEHSTR_EXT)
 - C:\Users\Ahmed\Documents\Visual Studio 2010\Projects\pla\Bootmgr\obj\x86\Debug\Bootmgr.pdb (PEHSTR_EXT)
 - C:\Boot\Bootmgr.com (PEHSTR_EXT)
 - c:\boot\me.dll (PEHSTR_EXT)
 - log.txt (PEHSTR_EXT)
 - B.imports (PEHSTR_EXT)
 - os_c576xedrypt.encry576xedpted_key (PEHSTR_EXT)
 - github.com/phil-fly/generate (PEHSTR_EXT)
 - api.telegram.org/bot (PEHSTR_EXT)
 - Shell.Application (PEHSTR_EXT)
 - @RD /S /Q (PEHSTR_EXT)
 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ (PEHSTR_EXT)
 - quanlykho.Properties (PEHSTR_EXT)
 - NewStealer (PEHSTR_EXT)
 - GrabScreen (PEHSTR_EXT)
 - -ExecutionPolicy Bypass (PEHSTR_EXT)
 - sitemanager.xml (PEHSTR_EXT)
 - ThunderBirdContacts.txt (PEHSTR_EXT)
 - MailContacts.txt (PEHSTR_EXT)
 - SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command (PEHSTR_EXT)
 - accounts.xml (PEHSTR_EXT)
 - _gZhD9cAiSBw2p.Properties.Resources.resources (PEHSTR_EXT)
 - out.dll (PEHSTR_EXT)
 - UPlRTxsojvoUKyY0hk.GYMnI7gQeQEeu4Om6t (PEHSTR_EXT)
 - s05AUpDFWLlXHdHxXq.oivCwUJSNiehmVIOAh (PEHSTR_EXT)
 - Corral.g.resources (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/651522382200176690/660984792061313024/mapper_3.exe (PEHSTR_EXT)
 - cmd.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - C:\\Windows\\IME\\mapper.exe (PEHSTR_EXT)
 - Growtopia-Full-Fud-Stealer-master\obj\Debug\Fud.pdb (PEHSTR_EXT)
 - discord.com/api/webhooks/1007285810468507658/g4q5Mp (PEHSTR_EXT)
 - user UserDefender /delete (PEHSTR_EXT)
 - add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v UserDefender /t REG_DWORD /d 0 /reg:64 /f (PEHSTR_EXT)
 - \Coinomi\Coinomi\wallets (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\CentralProcessor\0 (PEHSTR_EXT)
 - \PC\source\repos\Stealer try (PEHSTR_EXT)
 - Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION (PEHSTR_EXT)
 - fyi/Blogtion.msi (PEHSTR_EXT)
 - ppCmdLine=/QN /norestart (PEHSTR_EXT)
 - encrypted_key":"(.+?) (PEHSTR_EXT)
 - Pg\:a (SNID)
 - atomic.QSY_zrh (PEHSTR_EXT)
 - - Screen Resoluton: (PEHSTR_EXT)
 - Exela (PEHSTR_EXT)
 - \Microsoft.NET\Framework\ (PEHSTR_EXT)
 -  \AppLaunch.exe (PEHSTR_EXT)
 - .xsph.ru/ (PEHSTR_EXT)
 - \vanitygen\vanitykitty\btcgen\obj\Release\btcgen.pdb (PEHSTR_EXT)
 - btcgen.Properties.Resources (PEHSTR_EXT)
 - btcgen.exe (PEHSTR_EXT)
 - TEXTBIN.NET/raw (PEHSTR_EXT)
 - /VERYSILENT /SP- (PEHSTR_EXT)
 - ShellCode33/VM-Detection (PEHSTR_EXT)
 - gary-macos-stealer-malware/agent/win (PEHSTR_EXT)
 - Bunny/TaskHandler.php (PEHSTR_EXT)
 - Run Stealer (PEHSTR_EXT)
 - Echoer.php (PEHSTR_EXT)
 - notepad.exe (PEHSTR_EXT)
 - honey@pot.com.pst (PEHSTR_EXT)
 - FileZillaStealer (PEHSTR_EXT)
 - upload_screenshot_c2 (PEHSTR_EXT)
 - dKAoMzVdoGMRAuUpnzHLYIx.dll (PEHSTR_EXT)
 - bFISQFXZrlhowSppjMcUMEWMVO.dll (PEHSTR_EXT)
 - GET %s HTTP/1.1 (PEHSTR_EXT)
 - sxWsBcgMSxRdUCKXevfJKgAGAKoM.dll (PEHSTR_EXT)
 - qIadkkJWSlcNQdQofhpMzxrd.dll (PEHSTR_EXT)
 - LsVgHFhAfthrvrwvVQnXVYBStlK.dll (PEHSTR_EXT)
 - thoseintroductory.exe (PEHSTR_EXT)
 - callcustomerpro.exe (PEHSTR_EXT)
 - GPUView.pdb (PEHSTR_EXT)
 - Binance Airdrop_.exe (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - error_correction_update_check.My.Resources (PEHSTR_EXT)
 - installation_solution_for_use.My.Resources (PEHSTR_EXT)
 - .vuia3 (PEHSTR_EXT)
 - writerfunctionpro.exe (PEHSTR_EXT)
 - timeprogrammer.exe (PEHSTR_EXT)
 - TestFiles\AllMessages.txt (PEHSTR_EXT)
 - ://zdv.life/downloader.exe (PEHSTR_EXT)
 - 5nOpcoOp;nOpAoOpCoOpCoOpCoOPCo/ (PEHSTR_EXT)
 - System.Security.Cryptography.HMACMD5 (PEHSTR_EXT)
 - ICryptoTransformExecute (PEHSTR_EXT)
 - \AppData\Local\Temporary Projects\WindowsFormsApp1\obj\Debug\iTalk.pdb (PEHSTR_EXT)
 - gabkauric@gmail.com (PEHSTR_EXT)
 - smtp.gmail.com (PEHSTR_EXT)
 - RobloxLogin__Totaly_Legit_.Properties.Resources (PEHSTR_EXT)
 - http://bkp.myftp.org/compras/gate.php (PEHSTR_EXT)
 - \ChromePasswords.txt (PEHSTR_EXT)
 - \InternetExplorer\IEPasswords.txt (PEHSTR_EXT)
 - stealer.pdb (PEHSTR_EXT)
 - canary.discord.com/api/webhooks/1069222681557336064/ (PEHSTR_EXT)
 - discord.com/api/webhooks/837762564246601738/ (PEHSTR_EXT)
 - password-crypted.cockygrabber (PEHSTR_EXT)
 - \Temporary\EdgePasswords.txt (PEHSTR_EXT)
 - \Temporary\EdgeCookies.txt (PEHSTR_EXT)
 - \Temporary\ChromePasswords.txt (PEHSTR_EXT)
 - \Temporary\ChromeCookies.txt (PEHSTR_EXT)
 - \Temporary\OperaPasswords.txt (PEHSTR_EXT)
 - taskkill /im System.dll (PEHSTR_EXT)
 - REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f (PEHSTR_EXT)
 - REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\IMVU\username\ (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\IMVU\password\ (PEHSTR_EXT)
 - [LOG].txt (PEHSTR_EXT)
 - C:\KFJD947DHC.exe (PEHSTR_EXT)
 - GoStealer (PEHSTR_EXT)
 - hackirby/skuld/ (PEHSTR_EXT)
 - BrookStealer (PEHSTR_EXT)
 - browser.Credential (PEHSTR_EXT)
 - Ay3Info.exe (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - \.\Global\oreans32 (PEHSTR_EXT)
 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 (PEHSTR_EXT)
 - RATTE/RATTEgo (PEHSTR_EXT)
 - gorilla/websocket (PEHSTR_EXT)
 - main.BotToken (PEHSTR_EXT)
 - eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0. (PEHSTR_EXT)
 - password.txt (PEHSTR_EXT)
 - ziggy.Properties.Resources (PEHSTR_EXT)
 - C:\Program Files (x86)\Windows Defender\MpHeadlessRun.exe (PEHSTR_EXT)
 - Application added to startup successfully. (PEHSTR_EXT)
 - stealer\x64\Release\stealer.pdb (PEHSTR_EXT)
 - key4.db (PEHSTR_EXT)
 - Weekend.exe (PEHSTR_EXT)
 - PassGrabber.exe (PEHSTR)
 - gidcon:cmd /c cmd < Lascia.aac (PEHSTR_EXT)
 - dllhost.exe (PEHSTR_EXT)
 - Poverty is the parent of crime. (PEHSTR_EXT)
 - - ScreenSize: {lWidth=%d, lHeight=%d} (PEHSTR_EXT)
 - load_world.exe (PEHSTR_EXT)
 - live_stream_from_cosmos_events_app.exe (PEHSTR_EXT)
 - Account/Login (PEHSTR_EXT)
 - WebMatrix.WebData.Resources.WebDataResources (PEHSTR_EXT)
 - Wvqzdswh.Properties.Resources (PEHSTR_EXT)
 - module.teleg (PEHSTR)
 - %temp%\GetAdmin.vbs (PEHSTR)
 -  start /B call OBF20x-stealer.bat (PEHSTR)
 - EmbeddedSQLiteDemo.pdb (PEHSTR)
 - Browsers\BroweserInfo.txt (PEHSTR_EXT)
 - Ethereum\keystore (PEHSTR_EXT)
 - AtlantidaStealer (PEHSTR_EXT)
 - Exodus\Local Storage\leveldb (PEHSTR_EXT)
 - \Binance\*.json (PEHSTR_EXT)
 - INZStealer.exe (PEHSTR_EXT)
 - LoaderV1.Form1.resources (PEHSTR_EXT)
 - \First.pdb (PEHSTR_EXT)
 - \RegAsm.exe (PEHSTR_EXT)
 - remisat.com.uy (PEHSTR_EXT)
 - Umbral.payload.exe (PEHSTR)
 - Umbral Stealer Payload (PEHSTR)
 - .rsrc (PEHSTR_EXT)
 - /SILENT (PEHSTR_EXT)
 - Software\WinLicense (PEHSTR_EXT)
 - StealerClient (PEHSTR_EXT)
 - \\.\SIWVID (PEHSTR_EXT)
 - oreans32.sys (PEHSTR_EXT)
 - oreansx64.sys (PEHSTR_EXT)
 - HARDWARE\ACPI\DSDT\VBOX__ (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - \\.\Global\oreansx64 (PEHSTR_EXT)
 - Please, contact the software developers with the following codes. Thank you. (PEHSTR_EXT)
 - Please, contact yoursite@yoursite.com. Thank you! (PEHSTR_EXT)
 - WLNumDLLsProt (PEHSTR_EXT)
 - RestartApp.exe (PEHSTR_EXT)
 - Rich. (PEHSTR_EXT)
 - TeleSteal.Renci.SshNet.dll (PEHSTR)
 - \TeleSteal.pdb (PEHSTR)
 - \QQ.exe (PEHSTR_EXT)
 - @League of Legends.exe (PEHSTR_EXT)
 - Sapphire\obj\ (PEHSTR_EXT)
 - Yandex\YandexBrowser\User Data (PEHSTR_EXT)
 - cookies.json (PEHSTR_EXT)
 - kbinani/screenshot (PEHSTR_EXT)
 - main.antidebugger (PEHSTR_EXT)
 - main.decryptAllPasswords (PEHSTR_EXT)
 - main.decryptAllCookies (PEHSTR_EXT)
 - main.saveWindowsWallpapers (PEHSTR_EXT)
 - main.getAutofill (PEHSTR_EXT)
 - //jofilesjo.com (PEHSTR_EXT)
 - yoursite@yoursite.com. (PEHSTR_EXT)
 - NewBot.Loader (PEHSTR_EXT)
 - oFYSVYzChxVsXWmRsYqu.dll (PEHSTR_EXT)
 - tzYslkEExBzhWQjYATHOe.dll (PEHSTR_EXT)
 - OdZokoKlJenvDbhTg.dll (PEHSTR_EXT)
 - HeWSfFWuFmmMEQy.dll (PEHSTR_EXT)
 - ILLnogZyZLUtVXiOvwRHpTewBNs.dll (PEHSTR_EXT)
 - SimulationEngine.Properties.Resources (PEHSTR_EXT)
 - WFCL.SelectServer.resources (PEHSTR_EXT)
 - WFCL.pdb (PEHSTR_EXT)
 - VioletRichPlayer364David.ZODvl (PEHSTR_EXT)
 - StealerClient.exe (PEHSTR_EXT)
 - Telegram: https://t.me/RiseProSUPPORT (PEHSTR_EXT)
 - EmbeddedSQLiteDemo.exe (PEHSTR)
 - Samurai.Stealer (PEHSTR_EXT)
 - get_ComputerName (PEHSTR_EXT)
 - http://pz.wyjsq.cn/steamspeedAESpz.bin (PEHSTR_EXT)
 - http://pz.wyjsq.cn/gxrz.txt (PEHSTR_EXT)
 - =steamstorecommunitysite (PEHSTR_EXT)
 - C:\Windows\System32\drivers\etc\hosts (PEHSTR_EXT)
 - Switch-Stealer (PEHSTR_EXT)
 - AppData\Local\Temp\cfg.exe (PEHSTR_EXT)
 - TelegramStealer.exe (PEHSTR)
 - payload.bin (PEHSTR_EXT)
 - loader.bin (PEHSTR_EXT)
 - jerry.jpg (PEHSTR_EXT)
 - /server.php (PEHSTR_EXT)
 - %s%s\logins.json (PEHSTR_EXT)
 - %s%s\key4.db (PEHSTR_EXT)
 - $.vmp (PEHSTR_EXT)
 - \htdocs\ (PEHSTR_EXT)
 - \output.exe (PEHSTR_EXT)
 - \ConsoleApplication1.pdb (PEHSTR_EXT)
 - Typhon.Stealer.Software.VPN (PEHSTR_EXT)
 - Typhon.Stealer.Software.Browsers.Edge (PEHSTR_EXT)
 - Revolutionizing connectivity with cutting-edge cloud solutions. (PEHSTR_EXT)
 - OergBcaAGPSxGICMDFJxnj (PEHSTR_EXT)
 - DiscordCommand (PEHSTR_EXT)
 - Leading the future of integrated technology solutions. (PEHSTR_EXT)
 - imageclass.exe (PEHSTR_EXT)
 - Debug\Phemedrone-Stealer.pdb (PEHSTR_EXT)
 - pastebin.com/raw/LwwcrLg4 (PEHSTR_EXT)
 - Plugins\HVNCStub.dll (PEHSTR_EXT)
 - Plugins\Keylogger.exe (PEHSTR_EXT)
 - RegAsm.exe (PEHSTR_EXT)
 - Plugins\SendMemory.dll (PEHSTR_EXT)
 - discord.com/api/webhooks (PEHSTR_EXT)
 - VenomSteal.zip (PEHSTR_EXT)
 - Plugins\Logger.dll (PEHSTR_EXT)
 - passwords.json (PEHSTR_EXT)
 - UMBRAL STEALER (PEHSTR_EXT)
 - ://discord.com/api/webhooks/ (PEHSTR_EXT)
 - ://github.com/Blank-c/Umbral-Stealer (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - Project1.dll (PEHSTR_EXT)
 - main.RedirectToPayload (PEHSTR_EXT)
 - main.LoadPEModule (PEHSTR_EXT)
 - main.GetNTHdrs (PEHSTR_EXT)
 - main.AllocPEBuffer (PEHSTR_EXT)
 - main.PERawToVirtual (PEHSTR_EXT)
 - main.CreateSuspendedProcess (PEHSTR_EXT)
 - main._LoadPEModule (PEHSTR_EXT)
 - main.Resume_Thread (PEHSTR_EXT)
 - main.Write_ProcessMemory (PEHSTR_EXT)
 - main.Get_ThreadContext (PEHSTR_EXT)
 - Intel Core Inc. Trademark (PEHSTR_EXT)
 - JSylCAgIufPyrE (PEHSTR_EXT)
 - <HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" (PEHSTR_EXT)
 - window.close(); (PEHSTR_EXT)
 - </script> (PEHSTR_EXT)
 - Shroud.Properties.Resources.resources (PEHSTR_EXT)
 - runtime.stealWork (PEHSTR_EXT)
 - /Desktop/Stealer/main.go (PEHSTR_EXT)
 - h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc= (PEHSTR_EXT)
 - main.reverseString (PEHSTR_EXT)
 - type:.eq.main.Response (PEHSTR_EXT)
 - Tic_Tac_Toe.TicTacToePreview.resources (PEHSTR_EXT)
 - system.exe (PEHSTR_EXT)
 - \regex\string.rs (PEHSTR_EXT)
 - \defense\anti_dbg.rs (PEHSTR_EXT)
 - \defense\anti_vm.rs (PEHSTR_EXT)
 - \discord.rs (PEHSTR_EXT)
 - https://gitlab.com/DemoTrojan/real/-/raw/main/check.bat (MACROHSTR_EXT)
 - Shell ("cmd /c curl -L -o %APPDATA%\Pun.bat " &  (MACROHSTR_EXT)
 - / & " && %APPDATA%\Pun.bat"), vbHide (MACROHSTR_EXT)
 - curl --ssl-no-revoke -X POST "https://api.telegram.org/bot (PEHSTR_EXT)
 - JprCj82eY1e7mjrGxw.d1oAiYIBYaO9D2A9cZ (PEHSTR_EXT)
 - w5RWfKgbEirtaOLWRW.F1P6iqSIZ6HrtAgnwr (PEHSTR_EXT)
 - tLrmzJMsrWOFWmoOxcctAcCafzA.d (PEHSTR_EXT)
 - FgLHhdSuJHOQcVWHZfF.d (PEHSTR_EXT)
 - GyMAbmOFFujFiehEPZOsbV.dll (PEHSTR_EXT)
 - DkXBPNkrUIvokvAKWOOcKL.dll (PEHSTR_EXT)
 - vysLTwxigwwMGJpcQbTPB.dll (PEHSTR_EXT)
 - if(navigator.userAgent.toLocaleLowerCase().indexOf("baidu") == -1){document.title (PEHSTR_EXT)
 - .replace(new RegExp( (PEHSTR_EXT)
 - String.fromCharCode( (PEHSTR_EXT)
 - MeshEkran.DataSetler.FirmaDBListD (PEHSTR_EXT)
 - main.Md5Encode (PEHSTR_EXT)
 - main.EUkcKYTIDb (PEHSTR_EXT)
 - main.TerminateProcess (PEHSTR_EXT)
 - main.nlZMziDMqv (PEHSTR_EXT)
 - main.ResumeThread (PEHSTR_EXT)
 - main.WriteProcessMemory (PEHSTR_EXT)
 - main.Wow64SetThreadContext (PEHSTR_EXT)
 - main.GetThreadContext (PEHSTR_EXT)
 - LwNOrAxUVY/main.go (PEHSTR_EXT)
 - main.nwPXANdvbL (PEHSTR_EXT)
 - main.qWwvfeKaCT (PEHSTR_EXT)
 - back7top_managment.Resources.resources (PEHSTR_EXT)
 - main.(*ExtractBrowserProfile).zipUserData (PEHSTR_EXT)
 - .extractBrowserData (PEHSTR_EXT)
 - .copyUserData.func1 (PEHSTR_EXT)
 - .killChromeProcesses.func1 (PEHSTR_EXT)
 - ouuhltqrdxkxcfwnokiraowiforuavef.func1 (PEHSTR_EXT)
 - jbrgznwtqgjusbrusdagfssikogtkauw.func1 (PEHSTR_EXT)
 - JustABackDoor\obj\Debug\JustABackDoor.pdb (PEHSTR_EXT)
 - JustABackDoor.Executor (PEHSTR_EXT)
 - RunPowerShellCommand (PEHSTR_EXT)
 - debug.g.resources (PEHSTR_EXT)
 - psicologiaecultura.com.br (PEHSTR_EXT)
 - if ($exeName -eq "RSGame.exe") (PEHSTR_EXT)
 - main.UlhMFyDdoz (PEHSTR_EXT)
 - main.AEKCihaLRV (PEHSTR_EXT)
 - main.uydiOYgQCH.deferwrap2 (PEHSTR_EXT)
 - main.uydiOYgQCH.deferwrap1 (PEHSTR_EXT)
 - main.mOaSjsgDny.func1.Print.1 (PEHSTR_EXT)
 - test_lib/main.go (PEHSTR_EXT)
 - main.qHbLKcVFPY (PEHSTR_EXT)
 - main.BnMWnpUycO (PEHSTR_EXT)
 - main.HFdrQcLRTh (PEHSTR_EXT)
 - main.HwNcTblZxJ (PEHSTR_EXT)
 - main.khgzBwOcdS (PEHSTR_EXT)
 - main.RDF (PEHSTR_EXT)
 - main.cFVvJaclpr (PEHSTR_EXT)
 - main.oepNeSmKgT (PEHSTR_EXT)
 - main.cQPubDNZNj (PEHSTR_EXT)
 - main.neJDPbLRWD (PEHSTR_EXT)
 - main.VZCOQzehCp (PEHSTR_EXT)
 - main.WjLRMuNaor (PEHSTR_EXT)
 - main.EFTcmUgEtT (PEHSTR_EXT)
 - main.faqLSRWRlV (PEHSTR_EXT)
 - main.lnejYwfZkm (PEHSTR_EXT)
 - main.iiQhNBnnfo (PEHSTR_EXT)
 - TaskManager@stealer (PEHSTR_EXT)
 - rat\client\stealer (PEHSTR_EXT)
 - stealertest.dll (PEHSTR_EXT)
 - main.opWGippTfg.deferwrap2 (PEHSTR_EXT)
 - main.opWGippTfg.deferwrap1 (PEHSTR_EXT)
 - main.KqqAVmjanJ (PEHSTR_EXT)
 - main.fQyfTGPUtq (PEHSTR_EXT)
 - exithook/hooks.go (PEHSTR_EXT)
 - main.randSeq (PEHSTR_EXT)
 - main.KwPMHzDibl (PEHSTR_EXT)
 - main._Cfunc_wrf (PEHSTR_EXT)
 - main._RunPE (PEHSTR_EXT)
 - Poker.Properties.Resources.resources (PEHSTR_EXT)
 - AgroFarm.Properties.Resources (PEHSTR_EXT)
 - \Monero\wallet.keys (PEHSTR_EXT)
 - SOFTWARE\monero-project\monero-core (PEHSTR_EXT)
 - +)+.+0+1+3 (PEHSTR_EXT)
 - StealerDLL\x64\Release\STEALERDLL.pdb (PEHSTR_EXT)
 - Monero\wallets (PEHSTR_EXT)
 - \Users\Public\webdata\info.dat (PEHSTR_EXT)
 - WebSvc ... RegisterMachine w_sUUID (PEHSTR_EXT)
 - /C taskkill /IM %s /F (PEHSTR_EXT)
 - \Google\Chrome\Application\chrome.exe" --restore-last-session (PEHSTR_EXT)
 - dash.zintrack.com (PEHSTR_EXT)
 - /output/wallets/electrum (PEHSTR_EXT)
 - main. (PEHSTR_EXT)
 - .deferwrap2 (PEHSTR_EXT)
 - .deferwrap1 (PEHSTR_EXT)
 - .func1 (PEHSTR_EXT)
 - .func2 (PEHSTR_EXT)
 - .func3 (PEHSTR_EXT)
 - .func4 (PEHSTR_EXT)
 - .func1.Print.1 (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .rsrc    (PEHSTR_EXT)
 - .func1.Print.func1 (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - FlashSettings.txt (PEHSTR_EXT)
 - Minecraft Stealer (PEHSTR_EXT)
 - servers.dat (PEHSTR_EXT)
 - complex integrate build quick sun understand network power fast support (PEHSTR_EXT)
 - =.M&o (SNID)
 - database\wirefr\x64\HTTP\Intero.pdb (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - .00cfg (PEHSTR_EXT)
 - @.reloc (PEHSTR_EXT)
 - B.open (PEHSTR_EXT)
 - fequal.exe (PEHSTR_EXT)
 - focustask.exe (PEHSTR_EXT)
 - http://46.8.237.66/spool02/Odgcgoez.wav (PEHSTR_EXT)
 - `.rsrc (PEHSTR_EXT)
 - CreateAndRunRegistryBackupScript (PEHSTR_EXT)
 - CreateAndExecuteStartupScript (PEHSTR_EXT)
 - powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command (PEHSTR_EXT)
 - github.com (PEHSTR_EXT)
 - vel criar o arquivo .bat. (PEHSTR_EXT)
 - vel criar o arquivo .bat (PEHSTR_EXT)
 - FluentLog4Net.Properties.Resources (PEHSTR_EXT)
 - LOTO_aplikacija.FrmLoto.resources (PEHSTR_EXT)
 - /up.php (PEHSTR_EXT)
 - \Thunderbird\Profiles\ (PEHSTR_EXT)
 - /c systeminfo > (PEHSTR_EXT)
 - Wallets/Electrum (PEHSTR_EXT)
 - Wallets/ElectronCash (PEHSTR_EXT)
 - %appdata%\com.liberty.jaxx\IndexedDB (PEHSTR_EXT)
 - wallets/Ethereum (PEHSTR_EXT)
 - %localappdata%\Coinomi (PEHSTR_EXT)
 - lid=%s&j=%s&ver=4.0 (PEHSTR_EXT)
 - TeslaBrowser/5.5 (PEHSTR_EXT)
 - Screen.png (PEHSTR_EXT)
 - Screen Resoluton: (PEHSTR_EXT)
 - POST /api HTTP/1.1 (PEHSTR_EXT)
 - %appdata%\com.liberty.jaxx (PEHSTR_EXT)
 - Mail Clients/TheBat (PEHSTR_EXT)
 - Mail Clients/Pegasus (PEHSTR_EXT)
 - Applications/Telegram (PEHSTR_EXT)
 - Applications/1Password (PEHSTR_EXT)
 - Wallets/Daedalus (PEHSTR_EXT)
 - appdata\exodus (PEHSTR_EXT)
 - appdata\binance (PEHSTR_EXT)
 - get-wmiobject-classwin32_computersystem (PEHSTR_EXT)
 - webextension@metamask.io (PEHSTR_EXT)
 - Monero\wallet.keys (PEHSTR_EXT)
 - .func6 (PEHSTR_EXT)
 - .func6.1 (PEHSTR_EXT)
 - .func5 (PEHSTR_EXT)
 - .func5.1 (PEHSTR_EXT)
 - .func4.1 (PEHSTR_EXT)
 - .func3.1 (PEHSTR_EXT)
 - .func2.1 (PEHSTR_EXT)
 - .func8 (PEHSTR_EXT)
 - .func7 (PEHSTR_EXT)
 - tsrnKMMRWaSmgIGBadTmRDVK.dll (PEHSTR_EXT)
 - EMgVkXRBlViHxiKJoGXomDnkozkr.dll (PEHSTR_EXT)
 - nxtSvXVgJXelyGLBfuddwnihiSLb.dll (PEHSTR_EXT)
 - wDSDpeHhJZHHlukYvJFvIbzlFEz.dll (PEHSTR_EXT)
 - QrUrwtPcnxxkwnxalgzJPWVFgTlT.dll (PEHSTR_EXT)
 - F4A685CA111882879036.g.resources (PEHSTR_EXT)
 - rKWJTiBuK1FSkuZvDy.XM7D23CHuvbooqaBrU (PEHSTR_EXT)
 - YHg8aAJxoeft8ja7nM.yJ3itPKfvVOmJkkoc8 (PEHSTR_EXT)
 - C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\ (PEHSTR_EXT)
 - powershell -Command "Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - powershell.exe -c Invoke-WebRequest -Uri (PEHSTR_EXT)
 - https://badlarrysguitars.com (PEHSTR_EXT)
 - TEMP=C:\TEMP (PEHSTR_EXT)
 - AfSdNM6/46ObIJJmWHHvpVJ (PEHSTR_EXT)
 - ProcessHacker.exe (PEHSTR_EXT)
 - procexp.exe (PEHSTR_EXT)
 - x64dbg.exe (PEHSTR_EXT)
 - Stealer.Edge (PEHSTR)
 - Yz]hJVaoKI[g}AmOezfXVVK|HOeaYV]TAT\EY@ (PEHSTR_EXT)
 - fnAti[t\Hmav (PEHSTR_EXT)
 - yYnGNxeMh{fgoxETJ{fbeJtza\YccxNEmxnhhYvaI (PEHSTR_EXT)
 - Account_Panel.Properties.Resources (PEHSTR_EXT)
 - JYM_Project.Properties.Resources.resources (PEHSTR_EXT)
 - ENCRYPTED:CPB7ti0A5zas/0dF4XBKzDiUIfmQ5RgrLQvDrYCST4M= (PEHSTR_EXT)
 - 88.119.167.239 (PEHSTR_EXT)
 - \Shell\Open\Command (PEHSTR_EXT)
 - https://www.chirreeirl.com/wp-panel/uploads/Wlvdlivs.mp3 (PEHSTR_EXT)
 - user_pref("extensions.webextensions.uuids (PEHSTR_EXT)
 - steamcommunity.com (PEHSTR_EXT)
 - RstrtMgr.DLL (PEHSTR_EXT)
 - Tm5McYSCxHrGi4S+xs0dRKxy+8/OKxRNXx1SEPQEI804Dz4Y8PunFang (PEHSTR_EXT)
 - TextForm\obj\Debug\TextForm.pdb (PEHSTR_EXT)
 - Ocean-ac.pdb (PEHSTR_EXT)
 - Taskkill Executed (PEHSTR_EXT)
 - keyauth.win (PEHSTR_EXT)
 - stealer_bot (PEHSTR_EXT)
 - Dwasakj.Properties.Resources (PEHSTR_EXT)
 - file:/// (PEHSTR_EXT)
 - main.CocLYFOOoa (PEHSTR_EXT)
 - main.lFDfigPOFq (PEHSTR_EXT)
 - main.CONTEXT (PEHSTR_EXT)
 - main.ISLAdTJUKL (PEHSTR_EXT)
 - PirateStealerBTWapplication (PEHSTR_EXT)
 - I02Op2e6ZD52OJInVolF/WhWwGUgukvawTLHcS4qp (PEHSTR_EXT)
 - PWGVuoIBdb/core_injector.go (PEHSTR_EXT)
 - PWGVuoIBdb/injection.go (PEHSTR_EXT)
 - celestialC.Stealer.FTP (PEHSTR_EXT)
 - celestialC.Stealer.Messenger.Discord (PEHSTR_EXT)
 - /svcstealer/get.php (PEHSTR_EXT)
 - 185.81.68.15 (PEHSTR_EXT)
 - /c cd C:\Windows\Temp\ & curl -o (PEHSTR_EXT)
 - Venom RAT + HVNC + Stealer + Grabber.exe.licenses (PEHSTR_EXT)
 - Charter.exe (PEHSTR_EXT)
 - bihjfosihuwgighuzhdc.tawor33971.workers.dev (PEHSTR_EXT)
 - $screenshot_path = "$env:USERPROFILE\AppData\Local\Temp\screenshot.png (PEHSTR_EXT)
 - ratnew.ps1 (PEHSTR_EXT)
 - ghhhh.ps1 (PEHSTR_EXT)
 - 94.159.113. (PEHSTR_EXT)
 - Runtine Broker.exe (PEHSTR)
 - kernel32.dll (PEHSTR)
 - Umbral Stealer (PEHSTR_EXT)
 - \Hijack\Release\SPIFilter.pdb (PEHSTR_EXT)
 - "p": "%appdata%\\Ethereum", (PEHSTR_EXT)
 - "p": "%appdata%\\Bitcoin\wallets", (PEHSTR_EXT)
 - "p": "%localappdata%\\Microsoft\\Edge\\User Data", (PEHSTR_EXT)
 - "z": "Wallets/Bitcoin core", (PEHSTR_EXT)
 - "z": "Wallets/DashCore", (PEHSTR_EXT)
 - "n": "chrome.exe", (PEHSTR_EXT)
 - constructor or from DllMain (PEHSTR_EXT)
 - @.idata (PEHSTR_EXT)
 - nss3.dll (PEHSTR_EXT)
 - Prysmax Stealer Cookies (PEHSTR_EXT)
 - Windows DefenderC:\Program Files\Windows DefenderKasperskyC:\Program Files (x86)\Kaspersky LabAvast (PEHSTR_EXT)
 - LOCALAPPDATAsrc/modules/cookies.rs (PEHSTR_EXT)
 - chromeGoogle\Chrome\Application\chrome.exeGoogle\Chrome\User Dataedge (PEHSTR_EXT)
 - schtasks/Delete/TN/Create/SC/RLHIGHEST/RUNT AUTHORITY\SYSTEM/TR[CLIPPER] (PEHSTR_EXT)
 - cmd/C96.9.125.200 (PEHSTR_EXT)
 - Users\Public\Libraries\systemhelper.exe (PEHSTR_EXT)
 - revshell.pdb (PEHSTR_EXT)
 - aeblfdkhhhdcdjpifhhbdiojplfjncoa (PEHSTR_EXT)
 - www.new.eventawardsrussia.com (PEHSTR_EXT)
 - src\executable_loader.rs (PEHSTR)
 - WinHttpWriteData (PEHSTR_EXT)
 - Failed to set proxy blanket. (PEHSTR_EXT)
 - Decryption failed. Last error: (PEHSTR_EXT)
 - \Google\Chrome\User Data\Local State (PEHSTR_EXT)
 - powershell -Command "Invoke-WebRequest -Uri (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb (PEHSTR_EXT)
 - %s\wallet_dump_%s (PEHSTR_EXT)
 - Credentials/Microsoft_Mail.txt (PEHSTR_EXT)
 - Software\Microsoft\Office\%s\Outlook\Profiles\Outlook (PEHSTR_EXT)
 - %s\katz_ontop.dll (PEHSTR_EXT)
 - 62.60.226.191 (PEHSTR_EXT)
 - ExecutarMetodoVAI (PEHSTR_EXT)
 - caminhovbs (PEHSTR_EXT)
 - celestialC.Properties (PEHSTR_EXT)
 - get_AllScreens (PEHSTR_EXT)
 - ScreenToClient (PEHSTR_EXT)
 - ComputerInfo (PEHSTR_EXT)
 - /.exe" -Force (PEHSTR_EXT)
 - ExecutionPolicyRead after Close (PEHSTR_EXT)
 - 127.0.0.1:53 (PEHSTR_EXT)
 - Command (PEHSTR_EXT)
 - killing Cmdexe (PEHSTR_EXT)
 - Bot/New/Launcher (PEHSTR_EXT)
 - Data\Armory (PEHSTR_EXT)
 - \FileZilla\recentservers.xml (PEHSTR_EXT)
 - \wallet.dat (PEHSTR_EXT)
 - Wallets\Atomic\Local Storage\leveldb (PEHSTR_EXT)
 - Wallets\Ethereum (PEHSTR_EXT)
 - \SOFTWARE\Bitcoin\Bitcoin-Qt (PEHSTR_EXT)
 - Wallets\Zcash (PEHSTR_EXT)
 - \TEMP\BOFUPMJWUSFVSNIBDJEE (PEHSTR_EXT)
 - Wallets\Bytecoin (PEHSTR_EXT)
 -  .[P| (PEHSTR_EXT)
 - Hh .[o (PEHSTR_EXT)
 - Js) (SNID)
 - StealerBot. (PEHSTR_EXT)
 - /ISPR/ (PEHSTR_EXT)
 - TEZUV0JVVExe (PEHSTR_EXT)
 - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdater /t REG_SZ /d "%s" /f (PEHSTR_EXT)
 - cmd.exe /c (PEHSTR_EXT)
 - myth.cocukporno.lol/screen | Victim (PEHSTR_EXT)
 - ?a=http&dev=1& (PEHSTR_EXT)
 - shell_exec($c) (PEHSTR_EXT)
 - \Local Storage\leveldb (PEHSTR_EXT)
 - webhook.site (PEHSTR_EXT)
 - \discordcanary (PEHSTR_EXT)
 - \Lightcord (PEHSTR_EXT)
 - \discordptb (PEHSTR_EXT)
 - main.decryptData (PEHSTR_EXT)
 - shellCommand (PEHSTR_EXT)
 - sendScreen (PEHSTR_EXT)
 - salat/main (PEHSTR_EXT)
 - \\.\Oreans.vxd (PEHSTR_EXT)
 - .idata (PEHSTR_EXT)
 - SOFTWARE\WinLicense (PEHSTR_EXT)
 - DontStopIfGoingOnBatteries (PEHSTR_EXT)
 - Payload execution failed (PEHSTR_EXT)
 - DLL resource tidak ditemukan! (PEHSTR_EXT)
 - \steam\Token.txt (PEHSTR_EXT)
 - \Pc_info.txt (PEHSTR_EXT)
 - \\.\pipe\ChromeDecryptIPC_ (PEHSTR_EXT)
 - /61GM (SNID)
 - Realtek_HD_Audio_Universal_Service_Driver.exe (PEHSTR_EXT)
 - -NoProfile -ExecutionPolicy Bypass -Command " (PEHSTR_EXT)
 - p://141.98.6.130:5554/ (PEHSTR_EXT)
 - p://84.21.189.22:5554/ (PEHSTR_EXT)
 - hacker666lgbt/binaries (PEHSTR_EXT)
 - Phemedrone-Stealer (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - F_k.Q_Y.O S.z_t_u_n.7D z Xj.h.x k<_X_j fJ O.L B?.x.P.f_d)C_jE.s7 (PEHSTR_EXT)
 - H k2.lF_i7o.u_d H.c.m u.S.R_C.k_t Q.hM.ie (PEHSTR_EXT)
 - 8.1.A.8.p B_M_W.7x Da_l_S.z.4n K.8.N K,b_P.V.vha_V c3 Km k4_u3N.K x.4.O_j.o o9 E_n.y Y.s_e.Xw (PEHSTR_EXT)
 - OIv_a.O_P:m.H_I3u.R(s CT_yM q K_iOM Q rh.B Jv.n D F3 l+ j.L_H (PEHSTR_EXT)
 - Y U.r_i cVh.VZ_B Y p_h.3n.w Rg.e_H (PEHSTR_EXT)
 - z u_T_j o_R| LKp b- Z_dE t V_mx.ac: I.8c+.aM.K.8b A2_y l@ P M.9!o.n (PEHSTR_EXT)
 - D p C\.r.Js.D6.G Wv.2u.R.T+.BR_cM H.W.T&X.G.R uvz.ux_y F_q D (PEHSTR_EXT)
 - WinHTTP Uploader/1.0 (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - StealerCrypt.exe (PEHSTR_EXT)
 - .svG  (SNID)
 - #discordcanary/Local Storage/leveldb (PEHSTR)
 - 1Opera Software/Opera Stable/Local Storage/leveldb (PEHSTR)
 - 5Google/Chrome/User Data/Default/Local Storage/leveldb (PEHSTR)
 - Yandex/YandexBrowser/User Data (PEHSTR)
 - Vivaldi/User Data (PEHSTR)
 - Microsoft/Edge/User Data (PEHSTR)
 - Telegram Desktop/tdata (PEHSTR)
 - VBoxMouse.sys (PEHSTR)
 - VBoxGuest.sys (PEHSTR)
 - vmhgfs.sys (PEHSTR)
 - vmmouse.sys (PEHSTR)
 - vmci.sys (PEHSTR)
 - vmsrvc.sys (PEHSTR)
 -  SOFTWARE\WOW6432Node\Valve\Steam (PEHSTR)
 - Cookies.txt (PEHSTR)
 - system_summary.txt (PEHSTR)
 - http://api.ipify.org (PEHSTR)
 - Discord_Tokens.txt (PEHSTR)
 - screenshot.png (PEHSTR)
 - Passwords.txt (PEHSTR)
 - Reflective DLL Process Injection (PEHSTR_EXT)
 - chrome_decrypt.log (PEHSTR_EXT)
 - chrome_inject.exe (PEHSTR_EXT)
 - logscx\creditcards (PEHSTR_EXT)
 - logscx\Telegram (PEHSTR_EXT)
 - logscx\sensfiles.zip (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

dfa0de28c45f1a8d78f2170673ce7b88cb7fd0f82533de227371ed44519e45fe

22/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected system. Perform a full scan with updated anti-malware software and remove all detected malicious files. Force a password reset for all accounts accessed from the compromised system, prioritizing email, social media, and financial services. Educate users on identifying social engineering attempts.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 22/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Script/Stealer!AMTB - Windows Defender Threat Analysis