# IOC for HackBoss

Malware analysis and more technical information at <https://decoded.avast.io/romanalinkeova/hackboss-a-cryptocurrency-stealing-malware-distributed-through-telegram/>


### Table of Contents
* [Samples (SHA-256)](#samples-sha-256)
* [Network indicators](#network-indicators)
* [File names](#file-names)
* [Mutexes](#mutexes)


## Samples (SHA-256)
#### Archives
```
4C916853CCD9E7337AF557385FD5EF2E05A62F501B0CF4D7BBC3F9153D206350 - AirbnbCom.rar
50D6A87FB43C486D4171DAE91A2897A8652ABC27D9067418ED48A2AE725AD5FE - Amazon_gift_card_gen.rar
59F9AE970FFA26E31A8131A047C5C1415A1EB17B4BCA76095282CA146932C61B - Amex.rar
65AC1AB8C60EC8BDD45F59AE07103E218A7C307AFDD2BA92E3F687100914399A - Badoo.rar
DFB9ACD09E1303BAADE8C6D71E96489486F4B0471DFB42EA759E09919B717C6F - Badoo_BruteChecker.rar
C3AE43680C910239EA81CD2EAB6A450425C310DE54889BEBF96E48121CAD3BEF - BankCom.rar
B428B9CB3E8AB619FEAB2AF246A96791E3469621478A676A93C2D55906644135 - BankComb.rar
2771DDF380B065F4887F4DF271DBB5ECAEAC845EFE817D55676D41F09BE81C78 - BankCombain.rar
BA50C97E9CA718407AD3AA5195C461F5AAD73FD79685B704686C129772D5AE62 - BankCombain2021.rar
8BE15479F95785054F28F65FE9898C7CEC8DAF29E14F737172E85C1DC3DDD15F - BankCracker.rar
E32A4F828C556AB385A2BF66589BF8854EA9F370C5DFDD0E605911E8CAAAB73E - BankTop.rar
26E17367A3276321CBD553A194A296B6A53EC5C107EED26C12F6A66D2BF8A1E6 - Benaughty.com.rar
FB225C7902D5C876C9BBF4F4A48B047EB4E074838B8C8A4D6B9AD342C920710B - BitcoApp.zip
D2610FE83CED2C92C42DC36365819D54B9BA6FDD77C7E7B728E37858547B9554 - BitcoApp.zip
C6476784FF00D5FB5607716B225D4AB697F762E3D8AADD9C6A75320C13FC7734 - BitcoApp.zip
1772628DF187D1EA56F2D0FCE1B257F2E19DB1C03416F1C22FDF0841BBA2BA6E - BrutePrivKey_Cracker.zip
DDA2A8EE0B13E12ECFA37BA850ED6F91AC8AF0383A6384EEF59D91CA7828C5A4 - BuildBTC.rar
F78927E884724D7DF3E274724F340AEB655E3BD6C6D88B9BC1CBA36E56BEF0D4 - Builder_Stealer.rar
21BCB9F01C0CC8BE4FC5455F0C30314DDCC6F799F9476682B048BBCF1C068B45 - Chase.rar
90AD6734824FA251E03CE8363E629D6CF3D3A9FA7F30C4859DF4DB15ABD46345 - Chime_Brute$Checker.rar
77231FCCE5AF7F66DD1F94580150E0BEA08C21119D81C4A831F38799B7076CAA - Citizens.rar
8428F06EE038688FA3B024C53C51DAA216B128D3D06166068811DFACA6FE7BBC - CombineBA.rar
D7D7765B51B7E793AC221A61BF2C9A34C614EC1B46D922CFEA6BF71ABE7891D1 - ComboCreat.rar
805D4E8CF09FE2E8CCEA7A7EE3AFE1641FD0B9EBCAB501AD906BEEA0B7CABB3F - Cracker Bitcoin private key.rar
D54D41BE67625E3298B906B93C7A9811242FE4C2C8BF6B81D7974239052FFD8D - DatinG0.rar
68BEF2AF94A61A5A2195035CBA23DBA3DE834FDF26603F6CDA6B0856E776BB1E - DatinGo.rar
22F34A53AB5D2BB554159E695F336FE75DD4C8817721835E549251BFE11B7D7E - DatingIco.rar
83107AA69DDECA9B2B70E49AB2CA91468A3EE07C5AACF7B035B56CEC10B536E0 - DatingMix.rar
D33571435803D75846F9CA0EBB81A1E2C2B859F2E5C4A709DAC0571AAAC9F348 - Ebay Brute&Checker.rar
796BAB707BC08F7B79494A804A1C0C2D6C952BC4858F1D8DAF8786767617AE8F - Epay.rar
FA839F81049E00CE9981DCE117DF171939ECBD1C4EDE2C47514387026D8FD9D6 - FaceBook.rar
5249AD1C26AFFA3B15BC2B73DA39126621C4E426308BB4FD357D4CDA4123BA1E - GeneratorAndBrutePrivKeyBTC.rar
3D490959CAB777506C83EF1FDF4D273B992CB693E6A691B4AF66C61F61583C12 - HappyChase.rar
A7776AF49A25664E6CB1478CC6E8BC460DACDDE95D3797E3ED35286D3C4ED604 - MatchCheck.rar
5BD9A9113302E5AD7A866BCC95E81C931CB04B07B4CC00A5033376654E4C3422 - MatchUS.rar
1CE5E30E8A74E5244BB8ACEED2ABA13A05CAFB0D2612BFC3EE8D5A3921F9DB88 - MegaApi.rar
5B6D1A5A7C4A7D2485BDBEFD396F276C1C89E423A7C595F6ABFE231F28A504E2 - Ourtime.rar
01753BBD00642CC37E3BA5664B0DBDDBE8FFA493E70988D599512D8668A12D0F - ParserLink.rar
3243C113916D6EF4C44887329D8EC573F2F2D7EB3B061EB74976452282CC8825 - PayFast.rar
2A76003A2C7E733F6BFD0468E267D32ACE438B42DC6712E94BE7A0E5F02BBA87 - PayPal_Brute_v2.rar
6235FCC30C58AC7855447FF924C132A04E1B11F658CD27622CF9BA52E2B0A182 - Paypal.rar
E55AAFB86D3178CA43E67D730D643ADB77BF055CE5779DD735DFD1B411879352 - Pof (by LulzSec).rar
13FD093CA563B252A48940DD1880754F3B2BBCA54CB7B997FDE1452DF02E99F6 - PofFullChecker.rar
B3BF515DCCF58ECBA7F44F8DF4DC6E25D280E9FA1AF8082510F61F0CFA37F2FA - ProxyScrape.rar
DEC28A54F8B014AA5DBED1CE034A1DC3B7ACFCB950266418C0743E217292F0DF - SQLi Dumper v.9.7 [Cracked By PC-RET].rar
2983FA1D672D4DAB194ED1D4CAD1A0EA2A1DEE6A76F9AA38253078F896174851 - Smtp_Cracker(Brute).zip
F91005CF0286818D29812780A9C02E80CB8C4A9F9CC498A0B5A1CF3A5C2CAD10 - TelegramSender.rar
C1B8B512FB9445BBE515C194DE5E371EC5EEDC980204629A32111E35B576104C - VisualStudioKey.rar
5C1B26C12DE1517A105BB09EED20FF0624B6D60BC700025649E17715B6B4650A - WishShop.rar
4C46D0B5BE84E91480C8B61CB7762EA8EB75D6878764D1AEEFA4572E440A2E65 - Zoosk.rar
60EF02CBA512E9908111BBB860D0CCD240D6AEC8899A418FF67753632EF9FD15 - bank_Onpointcu.rar
442DEA1F0A964706CF6B1C94F39509289C0AD0B72918770D5993464F4B97E849 - bank_andrewsfcu.rar
F420F45B0EFF9234D715F23B4081D4C3248558F90D9066E8D4533063C1E38D31 - kitco.rar
B5D9580EE9C6302E0EEE173C5CFF384A490813BB863BD2506718C75194B1E0BA - mate1.rar
31B90D8B0D4D24D2932784585BEC20BD3E24CD4CCC7E9C8FDD03180B585F7C5F - ny.gov.rar
```
#### Executable files
```
FC9F06517E92E119692D946CE97069D1948E35E224840598DF56F71D8AE044D4 - Airbnb.exe
363EF27F603D6CF5E843BBF44E6EA4EEC112E97F9577D1BE703FB89E484E433B - Airbnb.exe
4370FB6EB93D35A7AB15EA312F94371172F1E05065833EFAE335AC8CA904849B - Amazon_gift_card_gen.exe
22764E629E6778155D8F8358726FD837B282BA1A16773844FCB10B4B8704D8C9 - Amex.exe
6D5C3D3BE26D4A333D52C6C876BAC64DC96C40D1F93DBB9580135AAB94610BAA - Badoo.exe
C373B1B88EE6CCCF38B50D5CAE2B43FF3C4042319FC2518B2B8D9EA28D5EB5C8 - Badoo2.exe
57E40581C5B12F5F0ED7D7C23C717C95653C573337B4A326367E24305089E78E - bank_andrewsfcu.exe
399921E9DCED6491223AE31E4F56530310DC22E90B4241FF39C28C8B25FA841A - bank_Onpointcu.exe
57A859CF8D19C90623ED8598C282D94EAD4CAAC81E4A27082F9C1AE44526F67C - BankCom.exe
7B41D2106EBD53CE23C0D50A245EC307108FB686664F7DF310CF78975FAA38CC - BankComb.exe
064B3A2BA31B755E3FB0699E40219D9700330C7D459B2C9E88AEB172B3BE1810 - BankComb.exe
28799F0FEEB0214EC31DC0615A3526AEA7A2F68B692BC30B2A362F163077EA17 - BankCombain.exe
4386742E3238E6E347B394AE8B1D9DFD7070B63C06A91745DBB6C7825D866FBC - BankCracker.exe
7466BF1FA87C77A3C7197D582D361BE5E057D5286BA66962E03C56D515BA1336 - BankTop.exe
908663AEFB1EA1EE6FCEACB99FFDD5595C247779278612A08B58F44BBF385085 - Benaughty.com.exe
3EB8556E29DA422B183D657E1CFF09FF6ABC66EDD26AEA6B87CFE710C8746502 - BitcoApp.exe
DB7832DA08A75A827960F84974E18571D23BC698C80D239D8D126D11D70C8805 - BitcoApp.exe
C038CF88206371D35A0E89612D8781CDFA69CC37FC5391A8E92D252AC6B9F0B1 - BitcoinFakeTransaction.exe
B97F51C35CEF3C2325BBAAED3C38AA19513AA240864C506B83130D0BCAF686B9 - BitcoinFakeTransaction.exe
CCDEC5EB1E04A4B988B5BA71053B5957C2C88A258F5CC8816E27651491F950E4 - Brute.exe
DDFB1F2638EDE0A8CEDA6136E99802B29FE8E5E3342EDB14B21835434C194B95 - BrutePrivKey.exe
C19A11F392B69827DE83BA06761EFF059741D084F0EC92C83D06BD4B794326A9 - BuildBTC.exe
CCB5ED92E25AF56433933BBACFFA1586D422C20A610B48A5E89C0344017E2748 - Builder_Stealer.exe
0E7614A4C207E6E0504F57FFE014447CA79127B5AE995B1A09AF0ADB427F2AC4 - Chase.exe
4C566CFBF8A37FDEFA304CF0D3DC9A4C871D37D454991C51AFBB2BD5EE22CCA1 - chime.exe
A79AC2F2A09A62FACDC7EE9E21BB109A80EC6C082E13D85D705ACDD21B4A387F - Citizens.exe
161C3AB9AB8C066109580E2BFDAE1037EA0B567537A5B9A5E6278E219CA533BC - coinoco.exe
47804FBB6BB7877CFDF15DE99FD5B18F21EA6F9542BA2BC6E129563DF8B7C2C0 - Combine.exe
3D06C30853F8BB370A2ECD7865F77F0B22932B6C7855C79D10CFB46EB7866766 - Combine.exe
A359A72B0A53AA21B52521B8128A2932B276947E33BDC01EA6CB5D8019E4CB71 - ComboCreat.exe
2498572B0A767B4135DC8E8232C7EC7B546C933ED434E20EC8DF3F3F45AC57FC - Cracker Bitcoin private key.exe
3530FE5DC925B9568CA485C70893C57424E917D6F4E22E15EA4CCF24EAB460CF - DatinG0.exe
BFFC1199592463F2229B9AE48EE901BDC0515C955215BC9A171631D326CB409E - DatingIco.exe
B1A878E39A4C2CD12BED9B1FC53D571104004841303CCEE5C4DCD67B7E198D80 - DatingMix.exe
AAF35ADE093448C42C6D8BBE58D920584FD320EA91D879486186EF34622D7EA7 - DatinGo.exe
09BD02E180FD3F92FB0115F6F768CD1AF0B37EE1176B10E007F4BFEC0D77E936 - Ebay Brute&Checker.exe
D78F1228DBA14133045707880CDD09BD5A4743703667286A41E1B43650E6065A - Epay.exe
7BA5855901A108E1F958B8D2683599E8BEF82D7CFB2AAC6C040D688D20534FE6 - FaceBook.exe
5EA5DA6F2E52526A63258FE73973B9672E7D10055832DDF28C35204706143A5D - GeneratorAndBrutePrivKeyBTC.exe
199FF1923C908A8BC639CD80B5B0FE642222EA2DD58D64B4E2DBC5A01037C0AD - GeneratorAndBrutePrivKeyBTC.exe
F1461C68D1A2D73533671BA7D1CF11F40AB33F62C8E6EEAE773A4DA35C0E1FF4 - HappyChase.exe
38F33C2B9C2D676A230B3F71AB021ABF1DD5572108E3679D8EA9A6BD95307ED9 - IAmazom.exe
DAC381361F911EEF5AD9BB0FFCDF3D5A0A96C6D70E3F7AD15D3E729A417446F8 - IBCbank.exe
063DDC9AF98E118677C1D40344BCEA135390367F8E65D84A706E55CE103D4F5C - IControl.exe
93FD746D55DCB8EDD4F9095DAC240E32680D15E663227E155516C035904D282F - MatchCheck.exe
E0222BD72FDC1FFA3241EDF43D265852B0EDCDB3D1BF003DC05B827AE1EF7042 - MatchUS.exe
3454444960BA3E8099F1FA9B6DB24A018EB282DBA22DC69DD5D2E8F19BD0ACFB - mate1.exe
A0DF556E936BE91D4F61400616A3FC8DCAFD6712EE467FCCAAF12E7A12C1A0C7 - MegaApi.exe
D7628E77C593254925F3EA507D4C526B047FBC9C25D3EBDF716504B873DFDEAB - MultiDating.exe
D8F254CADFE601F63D569F53E3BEA5592974A786C1F2B0C49D569063D4FED390 - ny.gov.exe
C8316F6A7409EADE1D93D891243B6EDE9D80E7C8E5D5957363A66B52DD59503E - Ourtime.exe
21534511EC6BBA6D02259F885353C81EF2330787F20481140496DCA1AD84EC8F - ParserLink.exe
763570AD58A8F0EF340343A02363F1CB49B7DB75F02CA51A42608DC594472B3D - PayFast.exe
8AD5E0246FC81AAF2F3083829AA1D8419C281549B783BF2B97132A6388D559C5 - Paypal.exe
2DB410056AD808F6BD12721EFBEE012BE5772CC9B72FC341058104C33C450059 - Pof.exe
628435017444A119136D053E08F8A572A2B0AF6CD55F06E329CDE77D638CB647 - PofFullChecker.exe
54C48DC70286B7106EB985C7AE3A5F02DF1E7B3229E7D0A74051B3E8A67B32E4 - ProxyScrape.exe
81D407F1AD372CCDED9CA12CB5090A3AF11FB402CD8B29491A78DA693625A14C - SendTelegram.exe
FE70E72F8BB0D202D5C26CF5C1319842A8830A76F6D727BFDC0D2B52C6438A63 - SmptSender.exe
60342CDF85D553D1BEE6E4B8D55B8E4E4417C792AE5F4C0D28211EB6767E3FBB - Smtp_Cracker(Brute).exe
3998E2BA6588279A49570F61DAEF37D108E446DB960B7A41A3C0BC8CFBFA271F - SQLi Dumper v.9.7.exe
104C8236A281E03423DE1A1CBF566EB41CE33B7A42651461F61CCC82AA8DF538 - v2.exe
EE39590D55C8145534C30F5FFEC1AE66F8CA8E31A319A1CB061B18587F6DF7CE - VisualStudioKeyGen.exe
F502E00CE95D2374C0BF98D259C97BC360C9112A61C36412F2ABD7389486CDEA - Wish.exe
BC08A9F9D7517BB53E62EFFDD012F6357ADAE47FFDA41EA9206C772E24ADC43F - WishShop.exe
853B97F7C3B9F01850E83AA8C57A21FD5F896FFC97F05034D6C8CD625A77A190 - Zoosk.exe
```
#### Encrypted malicious payloads
```
956FCAA432FB7BE2B8BCF863B1998D125A1E0E490518BED3C7B77BE9CC9B7192 - Ce1oJl2u.exe
D4904F755764752EAE7E8B58C927E9D8ED6807AE4D6B4B9CB1D2C0144DE29C13 - Defender.exe
A42794BA75CC315F624F1DF37B51F9981229B551873C73560545CC17F27D385C - DefenderUpdate.exe
775AE003277F3E6A10D47F9412A469C0AE38671572228B867D2568868F9DBC30 - FlashPlayer.exe
7F442358CFDEFD99F3346099B0318F95CAE3BA8FA0C3C00188273AD3F877E50D - FlashPlayer.exe
C41247F10F43D254B1134C4A360E193DC9D2B30532571A298219F8DE9B4445CC - FlashPlayer.exe
C039B400D495D1901F4F7D9E716CE30912A8146510BB884CA5FC88BDEB6BC62A - MSASCui.exe
C4499F2A4D4509084D8EEFEB7516665810D2224454C1E0005DCB80A656D648FF - Net.dll
D45865A5818C168CC16A8623AF5EC0A41CC3AE04A9B221163B5CC6D4FFF1B3AF - Runtime Broker.exe
5D6CF49E65C9A09396A8D76E55841D1110D66DB5ECF4A25705F1E349DAB7221A - RuntimeBroker.exe
BF7B3E1A9369468A4A6C037F0132317CF3D30316D1EDB82BF560A1550281CE4A - RuntimeBroker.exe
EC30FEF4785A86BE5F56DA1FD37C127EDF3D5336C10E855862CE9F99F50115F7 - SecurityHealth.exe
A58CA04EEA862FDD4149F3D238821B5945211A3A323B6548A897C6E65337502F - SecurityHealthSystray.exe
E0E99E28383285C8A3A87DD432FF4BDE9BA671FC426F08C3B768BCE893C230D6 - SecurityHealthSystray.exe
720910B3043A665C42D74988440DFDEBAE706B53674294032B6AD86E966E6F06 - Upexee.exe
079FE5844D3F58A77B3B724505E68C1D57CF99718E3940D44AF024BFDC8828F0 - User.exe
4FBC9F6640D87DED0407F757F9465893B582B27B2226E4130E6C9BB07AE75C79 - UserAccountControlSettings.exe
FCED6B6F3F4EFEC8821F12E536D29358C5CCE0F30FF41F39AE52C68C2FD2EDC1 - UserAccountControlSettings.exe
5731FFE3792C43FA59B3EE0AE88B82C360BAB08ECD476C316C4EF1CACFDD9EB3 - WmiPrvSE.exe
5B125D99BB9DADCC5C718F55DF65EE9065446B0D935D28E31DECBD4271E5D34B - WmiPrvSE.exe
74BE37B8E2715407353CF35A56316F09156817CA9D8D5E4A537821DF4AB88664 - WmiPrvSE.exe
C8720DDA36C403BF6424E27DCE4CAEEDF650B79DBE24B4BD48BFE47AC75F2842 - cssr.exe
4281BBC6A8F13FA8491202F99BDAA4CB51C4AE649D9135CBF230769188D1C998 - splwow.exe
E7C582BE6C599AE1EF3A93DC6EE90154EE6230A177637E3A3BE66614EBA50673 - splwow.exe
E29AE405C09E400B1FD7A5F230839B0FF30D5714C0C9B88A5F3783AF03230BAE - vbgujr7v .exe
6F51F7C331D38BA9B8F6BDBE1C3B599E3A8705BB946224608ECBDD4B66B1EE52 - vbgujr7v.exe
```


## Network indicators
#### Url links containing malicious payload
```
2no.co/2OTXs3
2no.co/2uJGT5
2no[.]co/2QEF66
anonfile[.]com/B9g2H307of/Citizens_rar
anonfile[.]com/Zcx7N9r8oa/Chime_Brute_Checker_rar
anonfiles[.]com/15Kfs7C4of/FaceBook_rar
anonfiles[.]com/15Kfs7C4of/FaceBook_rar 
anonfiles[.]com/74kb9064qc/Chase_rar
anonfiles[.]com/B7I4icecpc/GeneratorAndBrutePrivKeyBTC_2_0_zip
anonfiles[.]com/B7I4icecpc/GeneratorAndBrutePrivKeyBTC_2_0_zip 
anonfiles[.]com/F5y1ReA4oa/BankCom_rar
anonfiles[.]com/H0J53ck9p7/PofFullChecker_rar
anonfiles[.]com/Jbf808k7p5/ProxyScrape_rar
anonfiles[.]com/Jbf808k7p5/ProxyScrape_rar 
anonfiles[.]com/LeS9t5J9o5/AirbnbCom_rar
anonfiles[.]com/T9Gf41Tcoa/DatinG0_rar
anonfiles[.]com/V4s3B0H9pb/Amazon_gift_card_gen_rar
anonfiles[.]com/Xbpf05k8p8/Wish_rar
anonfiles[.]com/ZdT0a6lep8/BankCracker_rar
anonfiles[.]com/b8GaC1A3o4/Badoo_BruteChecker_rar
anonfiles[.]com/b8GaC1A3o4/Badoo_BruteChecker_rar 
anonfiles[.]com/h5l84aFao9/mate1_rar
anonfiles[.]com/l4Ccn34ao5/PayFast_rar
anonfiles[.]com/l4Ccn34ao5/PayFast_rar»
anonfiles[.]com/neK7WaD6o5/BankTop_rar
anonfiles[.]com/r3ffadg9pf/MatchCheck_rar
anonfiles[.]com/taW231Bco4/ComboCreat_rar
anonfiles[.]com/vdJ1D4U5o5/CombineBA_rar
ezstat[.]ru/2uNGT5
mega[.]nz/file/0Uh1FQxa#H28pgAJpnnuu2VmzZpUOJtUFmYnLP9cJEvK6ElltJUc
mega[.]nz/file/0hgWwBSC#iIVnAImaF6CkA-IzGvmNulS8enc0XTAotAgvJ4aOjOU
mega[.]nz/file/0t4zDKTL#hpGw259NX2Y1TNeEd1aSjPn2gNI1DNTDU_zmHSeuQY4
mega[.]nz/file/1ohS3A4Q#D3IqYeVhT40JWyCfMPSeavKL5k0WW6MIQ7hRSxJdwps
mega[.]nz/file/4gpCBCAZ#h9T8eS71CwXVfLRLwWt4exP9MWYoCBI89exeCL1GLIo
mega[.]nz/file/4hhk1Kyb#9TxYVzWR1oTBvcjLBHfPWC1xUmuk8ZXksjK00BWBVVs
mega[.]nz/file/4lAQ3A7K#xTauQrfLt-YtBwvAmXDtFrxjMEEQJGnqXhJ_9ZWas_M
mega[.]nz/file/4xRkjRCZ#4lTp9wbjH7luLlLbRYnZWPni1SSXqxhs5e2i52owqF0
mega[.]nz/file/5wRzhAoY#rWL97o8gLv4SDXajQW-rOYjc6WHQDvI8i8nq6mR8uqQ
mega[.]nz/file/8l9U2I7S#Z-6pTRYsTP_V-DG9QGi5ro_VuVmN98fGHwH3ai-xQnQ
mega[.]nz/file/8swQQYpZ#Hn7zudXDTMd2e4_keEKkZdnFO4I1sijP7DQMY0Lyaf8
mega[.]nz/file/9lhCkACa#s4GSXbIkkQJ9eNNnb7F26bCLLnBypTxuQJb2_uDxAc8
mega[.]nz/file/AxJzTSxQ#VZg_YvwP912OBAOJmUs4Ynfricl93IbvGVzrGGCbUzo
mega[.]nz/file/B1QgjASD#_sntWOSQO1SqJ54ia4lHK87wIdExpfwoO2VepA1DppA
mega[.]nz/file/BNo3iY6J#pSQapX4q-ZOCccf-8ktUNMCIjbM5ctVsUg7GaD8tdE4
mega[.]nz/file/BlhTAYgY#jaTpHRlOU2roIeWeS6aYGNUmSm-ncxILmN303Ucgy_Y
mega[.]nz/file/E4Ym2RSQ#oE8iWSNt9Sfb0sR4_mIzYDy58Af6j4h92cOnp2_gpW4
mega[.]nz/file/FJgmSaSR#QeAn5MWmq8JWFXMhGq3ELVQbqsRaH3Z3j2wrmTj6nTw
mega[.]nz/file/I1RFTQrZ#UD9lW1FeAccIRNNt3Wp1l5fKFtRPHEWdnYY78FBnTU0
mega[.]nz/file/IsgEXQSQ#mEN1W88KuV2ffEvD-XYkLXzwFPxgHHgRddZ_ylMeh1k
mega[.]nz/file/JF5BTKpQ#wrOtkfNswmy_g8Jpta9ARln_mJMzALOIxUYpas1dxnc
mega[.]nz/file/MphFWQAL#VA5_7WwtG16236gFu8LuDnD5Hefu5sZ5rgRKpbSA8jc
mega[.]nz/file/Nl9hmKbD#sLCTbv6zsAzIPfnz9G7suYYe_JB81XJW0MP2-UnknR0
mega[.]nz/file/NsxiQbgS#vgZIX9m93fZ13erCT9wEvUX3Mp7Qf7pxyGrD08hDpG4
mega[.]nz/file/QMpnhYQT#t-viTJ-7V7_iMGmXrikGb7F-162wTdgJ8bZJHO90d0A
mega[.]nz/file/QURACQhY#Vk3W73HapLoiaVd1wH9QVGuy7c69wK8pSf9ZAqnr-lA
mega[.]nz/file/QkAFDQhR#QC_l-5MWf9zqt9l3wfFUg2joicLlzR3rGrF7Ab1ELk4
mega[.]nz/file/R8hE2aSJ#8-dRV0iIblfY3BFv8DnR3r6WhgjqFLXtAsdzY8lmNB4
mega[.]nz/file/RsYyDAzJ#rrtWuY1mtC5xy6V13dSdt6yo7nGmNjEluAEQ23udDIY
mega[.]nz/file/UsZnUAhA#3YCXr96qdzMLa00adGYKpiUlwsvcuuyWl6HR5OV1MLA
mega[.]nz/file/V84CBI5J#2OYUKgsYKHGNCvUL6uVzumEd1Ctn2EvqIPPdZCR8iXE
mega[.]nz/file/VMxHSZiT#0aAoz2IluNYHeTmYEOrSb-nqM20Mxc5Lj76r4248T2o
mega[.]nz/file/VhxlACrB#7pNbRtsR2LWonGl_cjkfXh-BUkexBfiAHW8W-80vLR8
mega[.]nz/file/VwRXHKhR#pWZDGJgQLTRTgXzRVh9rgFCrmTLAyTpLnmL7YsdlWOE
mega[.]nz/file/Ys5FmYxS#-0kvjCIBQXqDtGOVP-KAjSK7KNdeLDObncg_DJF-2Xo
mega[.]nz/file/YtFTUITZ#WEeyPncAUVSVjrMs_FnsPgVKfCMX1hCFafWS4q1nuzQ
mega[.]nz/file/ZNg3zCzQ#38bODDuobfEgxCh-jOdcNX3C8UPd6pLCcX639CJJI4U
mega[.]nz/file/ctV2hZTD#koV0C9nv260KWV42OQ9FanR4WdeZTuXKaATM8nee7yk
mega[.]nz/file/cwoXyJRL#kKEZhHP5kvPEGL6ahtctDqSbP9zzX5KnoOYzIPP6kvE
mega[.]nz/file/dBwSXDpC#arKlgBo1114m2PyDOj5xb0BhzPBhqe2wis9KNxtk5aY
mega[.]nz/file/h1lmDDwS#zbgpouBDfw-przmSlD-wlVfwcYxaR41KAgHwUPWGwJM
mega[.]nz/file/hlUm2ZJZ#VSk18Z0E1R46wxq48ETQ1itMXXxFuDzywFwCGNlt35k
mega[.]nz/file/hp4G1aaT#X4DZzEj1PElYzvbptLotEcAmtNihacoRgqRgx4zlWDM
mega[.]nz/file/kFo1yCBD#7nzTGzcTZapq9qZbpiQ4iZklgz5ee6q7yWr-IDQbUd4
mega[.]nz/file/kdAzgCzB#fe74hjumIo2KyeYCw0h0anSedODn-VJC8j1isfBIHEY
mega[.]nz/file/lNgyWTza#SOBvCixV0OOsO8E4rvwpOmUg-i_cZ4vB0tdvJTURiPA
mega[.]nz/file/loYQTKaT#vf_X682ecst_vz4hQjLJ89SZmUVVhugqVTwQgeMO7sc
mega[.]nz/file/o5h2CAzT#iLrtcoRlYtzm6GPYmipJPIGEX7qE-P50yj-ybBU9anI
mega[.]nz/file/p05QwaRT#bqtNVfWKBLtJPNJ9sFOjXRNtjKapwMAk4IwB-eYvNAA
mega[.]nz/file/p05QwaRT#bqtNVfWKBLtJPNJ9sFOjXRNtjKapwMAk4IwB-eYvNAA 
mega[.]nz/file/p8kWwTqT#oSTRJloI5oMLhL9FLvmWDsCjwW9CiUD4FIPuP4VWaiI
mega[.]nz/file/ppZEkKaK#B-urCiubVnRNGrLXQ_1lM4OLYNqI-Q4oBDPGRtVwUls
mega[.]nz/file/s4BBGSwT#r_bAc22nLVkjQJU53xnBY9_DRPLxFMbL27vL0-3MSkU
mega[.]nz/file/sBYgSZjZ#F1qjBoGZY_rJEL_wq_sbTNcnKsBCwehzvwcIIcekrMo
mega[.]nz/file/towmjLzI#LzcRgAEL7RN8jwSFOnI6_TU5qV4CfqFqphjQGs0FLvg
mega[.]nz/file/twRCATyZ#5xTdZgrbCxb4HBvN6AM_79Tvg02H_nLLiCwDM95h-KM
mega[.]nz/file/w5oU1LZY#OMW_MbBnpheNlPVZsBECpvDr5K2cWyiiXO1_UHdeHEM
mega[.]nz/file/x8oRAaYY#52wO4k6ENmhZJIqAvxlRlN7YbL-BZRHRq9r_DVrUS-M
mega[.]nz/file/xNAUjSQS#WufFv-cdrc45BL2TrUdeNa3ijAo8CxoDoZImCon-RMQ
mega[.]nz/folder/ogBBnCYD#8dsYu-ikNdnM-uDAjutoMg
progs[.]su
sendspace[.]com/file/061inf
sendspace[.]com/file/0prar9
sendspace[.]com/file/2vxjkh
sendspace[.]com/file/6cuxdb
sendspace[.]com/file/91b1l8
sendspace[.]com/file/azfe6l
sendspace[.]com/file/blhldl
sendspace[.]com/file/buti2l
sendspace[.]com/file/cbzy9i
sendspace[.]com/file/cbzy9i
sendspace[.]com/file/dr1xxh
sendspace[.]com/file/dsilg9
sendspace[.]com/file/e87sfs
sendspace[.]com/file/eq6sea
sendspace[.]com/file/eq6sea
sendspace[.]com/file/fkziff
sendspace[.]com/file/fu4u7g
sendspace[.]com/file/fu4u7g
sendspace[.]com/file/hl3g7v
sendspace[.]com/file/kg0m46
sendspace[.]com/file/otxi12
sendspace[.]com/file/plwz9u
sendspace[.]com/file/qfjn7e
sendspace[.]com/file/s0ltvx
sendspace[.]com/file/s0ltvx
sendspace[.]com/file/vk3zjv
sendspace[.]com/file/xw8ldd
sendspace[.]com/file/zepg6n
sendspace[.]com/file/zepg6n​
vk[.]progs[.]su
```


## File names
```
%APPDATA%\Local\Temp\1qw23.exe
%APPDATA%\Local\Temp\DavzZL\MSASCui.exe
%APPDATA%\Local\Temp\MSASCui.exe
%APPDATA%\Local\Temp\RuntimeBroker.exe
%APPDATA%\Local\Temp\SecurityHelth.exe
%APPDATA%\Local\Temp\vbgujr7v.exe
%APPDATA%\Roaming\AdobeX\UserAccountControlSettings.exe
%APPDATA%\Roaming\AdobeX\flashplayer.exe
%APPDATA%\Roaming\Defender\DefenderUpdate.exe
%APPDATA%\Roaming\Defender\MSASCui.exe
%APPDATA%\Roaming\FlashPlayer\FlashPlayer.exe
%APPDATA%\Roaming\Health\SecurityHealthSystray.exe
%APPDATA%\Roaming\NVIDIA\SecurityHealth.exe
%APPDATA%\Roaming\Protect\WmiPrve.exe
%APPDATA%\Roaming\Realtek\SearchProtocolHost.exe
%APPDATA%\Roaming\Realtek\SecurityHealth.exe
%APPDATA%\Roaming\Security\SecurityHealth.exe
%APPDATA%\Roaming\System\DXCpl.exe
%APPDATA%\Roaming\System\splwow.exe
%APPDATA%\Roaming\WIND0WS\Explorer.exe
%APPDATA%\Roaming\WIND0WS\FlashPlayer.exe
%APPDATA%\Roaming\WIND0WS\User.exe
%APPDATA%\Roaming\WIND0WS\UserAccountControlSettings.exe
%APPDATA%\Roaming\WINDDWS\Winserv.exe
%APPDATA%\Roaming\WinSecurityHealth\SecurityHealth.exe
%APPDATA%\Roaming\WmiPrv\WmiPrvSE.exe
%APPDATA%\Roaming\dftmp\SecurityHealth.exe
%APPDATA%\Roaming\p60fhh\Flash.exe
```


## Mutexes
```
0kezHr8NVFLmGsLePNFaEYm7FPxK9L9yn
3C35FH8hKAuPv8jYboeJXnysvZqUt3f3q
AyxTVEBaJDByEHaGYTW3FG56zf1s5P6gx
GI8Pu5K9UQSNmuJiM3CPvVbSOdYQjCDvwsMWxkXXGrybkBvMRzUJbqWcVjB3u4TS
Vs3xjr1pNeqf3f32CU1Qf2uLQNRY7QHuT
WBU7punCFmjK4sZCZc592RnzYpJr2APgZ
uf7UX2VR3HPhtOKAHyn33pDN4v716mEjB
x1jh28RpFlszLbjvp8A8GzBBA3Vm7DQy5
x1jh28RpFlszLbjvp8A8GzBBA3VmDQy5
x1jh28RpFlszLbjvp8A8GzBBA3VmDQy578
```