: Upon extraction and execution, the malware often copies itself to the %AppData% or %LocalAppData% folders and creates a Scheduled Task or Registry Run Key to ensure it starts with Windows.
: Suspicious processes running from temporary directories with randomized names. Anomaly_OB Updated.rar
: If you still have the .rar file, delete it immediately without opening it. : Upon extraction and execution, the malware often
: New, hidden folders in %AppData% containing .txt or .json files ready for upload. Recommended Actions : Upon extraction and execution
: If executed, disconnect the device from the internet to stop data exfiltration.
: Session tokens for Discord, Steam, and Minecraft.
: IP address, hardware ID (HWID), and screenshots of the desktop. Indicators of Compromise (IoCs)
