IOC Report
ZoomInstaller.exe

C:\Users\user\AppData\Local\Ailurophile\History\Microsoft-Default.txt

ASCII text

dropped

C:\Users\user\AppData\Local\Ailurophile\Passwords\Google-Default.txt

ASCII text

dropped

C:\Users\user\AppData\Local\Ailurophile\Passwords\Microsoft-Default.txt

ASCII text

dropped

C:\Users\user\AppData\Local\Ailurophile\info.txt

Unicode text, UTF-8 text, with very long lines (425)

dropped

C:\Users\user\AppData\Local\Ailurophile\stolen_files.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web.db

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\passwords.db

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3z4uwxfe.fci.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cig3xdrr.qj1.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mngndqvq.ulc.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nau0334u.ney.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0gvwhgn.j2r.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3eiig4y.fce.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umb4p1ct.5co.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb4beibc.i21.psm1

ASCII text, with no line terminators

dropped

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\tasklist.exe

tasklist

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

https://go.micro

unknown

https://contoso.com/License

unknown

https://manestvli.shop/upload.php?

unknown

https://contoso.com/Icon

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://api.telegram.org/bot%s/sendMessage

unknown

https://manestvli.shop/upload.php?C:

unknown

https://www.ecosia.org/newtab/

unknown

https://github.com/Pester/Pester

unknown

https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessage

149.154.167.220

https://ac.ecosia.org/autocomplete?q=

unknown

https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drT

unknown

https://api.telegram.org/bot%s/sendMessagehttps://api.telegram.org/bot%s/sendMessagechat_id=68432125

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

https://ailurophilestealer.com/bot

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://oneget.orgX

unknown

https://aka.ms/pscore68

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016========

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://oneget.org

unknown

https://ailurophilestealer.com

unknown